Unable to get Firewall data

Hi team,

As per the this article FortiGate - Fortinet I have trive to forward fortinet firewall log and meraki logs but I am unable to see the logs on the SIEM console. In firewall logs it shows SourceName only CISCO-ASA. neither Meraki nor fortigate.

Need your assistance for doing the PoC.

Hi,

Could you please check the FortiGate and Meraki logs are receiving on the Adapter Host machine?
Please use tcpdump to check the same.

Command : tcpdump -nnnAvi <interface> host <source-IP> and port 514

Regards,
Ben

Hi
Syslog troubleshooting guidelines I have already followed. its not working

Hello,

Could you please share with us the above command output?

Hi

We NATed 182.156.210.18 ip with our private AD adapter 172.19.2.63.

Hey - if the IP and the interface you are using is correct, then the outcome here suggests you aren’t receiving events on the adapter.

Few possibilities
1 - the configuration at the firewall end might be the problem, verifying the details there might help

2 - it’s common to see a firewall / packet filter between the log source and the adapter

You might have to investigate the above scenarios.

Shomiron

Hey buddy,

As per the snapshot, you have added AD NATed IP in the tcpdump command, you have to mention the FortiGate SrcIP in the command.

Command : tcpdump -nnnAvi [AD-Private-IP-interface] host [Fortigate-source-IP] and port 514

Regards,
Flash

Hey Flash

cmd provided in the current screenshot is correct right.

Hi Buddy,

Use the command provided in this response.

Regards,
Flash

Can we have a remote session tomorrow to fix this issue. logs are not coming.

Hello it.security_ae,

Kindly get in touch with the business team for enterprise support.

Regards,
Flash

Hi Viral/Mukesh

Can you plz look into this issue and get it resolved. I am unable to get the firewall logs on the Adapter. Plz schedule the remote session to fix it. Need your urgent help in closing the PoC.

Hi it.security_ae,
To get the firewall logs on the Adapter, you need to check whether you are getting logs on the Adapter and need to check the configuration on the firewalls.

You may follow the given below steps and their outputs:

Step 1: Check configuration at the FortiGate-Fortinet firewall

Check syslogd settings

set status enable ##enable logging to a remote syslog server
   set server <IP Address> ##the IP Address of the DNIF Adapter
   set port 514 ##Server listen port
   set facility local0 ##identifies the source of the log message to syslog
   set source-ip <src_ip> ##Source IP address of syslog
end
config log syslogd filter
   set traffic enable
   set web enable
   set url-filter enable
end

Here, you can check the ip address and port number, enabled traffic, and any other rules set.

Step 2: Check the configuration at the Meraki Firewall

To configure Cisco Meraki to send log data to DNIF follow the below steps:

  1. Go to Meraki dashboard
  2. Select a device
  3. Select Alerts & Administration
  4. Scroll down to the Logging section
  5. Click Add a syslog server
  6. Type the IP address #IP Address of the DNIF Adapter
  7. Type port number #Server listen port
  8. Choose which types of events to export:
    a. Event Log: The messages from the dashboard under Monitor > Event Log.
    b. Flows: Inbound and outbound traffic flow-generated syslog messages that
    include the source, destination, and port numbers.
    c. URL— HTTP GET requests generating syslog entries.

Here, you can check the ip address and port number, enabled traffic, and any other rule set. You can go through the documentation link below.

Reference Link: Syslog Server Overview and Configuration - Cisco Meraki

Step 3: Check incoming logs on Adapter

tcpdump -nnnAvi [AD-Private-IP-interface] host [Fortigate-source-IP] and port 514
tcpdump -nnnAvi [AD-Private-IP-interface] host [Merai-source-IP] and port 514

Also, please provide screenshots of step 3, so that we can help you out more.

Step 4: On Adapter
Check whether port is open and reachable (check network settings)

Above steps should help you solve the issue. If not, allow us to help you out by providing relevant screenshots as currently these are the basic checks which are required before going to next troubleshoot steps.

If provided information was helpful and Got a success in any of the steps above. Do let us know.

Thanks & Regards
Oceana