UTM日志触发器

该功能在7.2.0及以上版本支持。

简介

FortiGate可以配置UTM日志作为自动化的触发器(Trigger),在发生特定UTM日志ID时触发。配置时可以选择多个UTM日志ID,还可以自定义日志字段筛选器。UTM日志触发器可以从“Security Fabric→自动化→触发”页面进行配置。

每个自动化工作流最多可以配置16个UTM日志ID作为触发器(Trigger)。

UTM日志触发器支持以下安全事件日志,且可以指定基于VDOM的安全事件日志:

  • 异常日志(Anomaly)
  • 入侵防御日志(IPS)
  • SSH日志
  • 反病毒日志(AV)
  • 流量阻断日志(Traffic violations,被防火墙策略阻断的流量日志)
  • Web过滤(Web Filter)

CLI配置方法

config system automation-trigger
    edit "Anomaly Logs"
        set trigger-type event-based
        set event-type anomaly-logs
        set vdom <name>
    next
    edit "IPS Logs"
        set trigger-type event-based
        set event-type ips-logs
        set vdom <name>
    next
    edit "SSH Logs"
        set trigger-type event-based
        set event-type ssh-logs
        set vdom <name>
    next
    edit "Traffic Violation"
        set trigger-type event-based
        set event-type traffic-violation
        set vdom <name>
    next
    edit "Virus Logs"
        set trigger-type event-based
        set event-type virus-logs
        set vdom <name>
    next
    edit "Webfilter Violation"
        set trigger-type event-based
        set event-type webfilter-violation
        set vdom <name>
    next
end

网络需求

FortiGate的VDOM2在遭受DoS攻击后,自动发送邮件到指定邮箱。

配置举例

  1. 进入FortiGate全局VDOM的Security Fabric→自动化页面,新建自动化工作流。

    image-20240311173614890

  2. 点击添加触发器按钮,在弹出的条目中选择新建。

    image-20240311173702856

  3. 在弹出的日志类型列表中,选择Event Log分类的异常日志。

    image-20240311173733183

  4. 配置触发器名称,并配置VDOM作为触发条件,这里以VDOM2为例,也可以选择多个VDOM,下发配置。

    image-20240311173848561

    config system global
    config system automation-trigger
        edit "Anomaly_Log"
            set event-type anomaly-logs
            set vdom "VDOM2"
        next
    end
    
  5. 选择上步创建的触发器作为触发条件,也可以创建并选择多个触发器。

    image-20240311173936489

  6. 点击添加动作按钮,并在弹出的条目窗口中点击新建按钮。

    image-20240311174045152

  7. 在通知分类中选择Email类型的动作。

    image-20240311174126766

  8. 添加触发器与动作之间的延迟为3s,点击确认下发工作流配置。

    image-20240311174203333

    config system global
    config system automation-action
        edit "Action_Email"
            set action-type email
            set email-to "bbai@fortinet.com"
            set email-from "DoNotReply@notification.fortinet.net"
            set email-subject "CSF stitch alert"
            set replacement-message enable
        next
    end
    

    image-20240311174244183

    config system global
    config system automation-stitch
        edit "VDOM2_Trigger_Anomaly_Log"
            set trigger "Anomaly_Log"
            config actions
                edit 1
                    set action "Action_Email"
                    set delay 3
                    set required enable
                next
            end
        next
    end
    

配置验证

  1. 在FortiGate的VDOM2中配置DoS策略,并开启异常日志记录,从终端对FortiGate的VDOM2接口port2发起DoS攻击,在日志&报表→安全事件中的异常分类中,可以看到产生了UDP Flood日志。

    image-20240311174624483

  2. 3s后收件人邮箱收到了CSF自动化发送的邮件,邮件内容为异常日志的文本。

    image-20240311174716273

  3. 查看autod进程的debug信息,可以看到Email动作被触发。

    FortiGate (global) # diagnose debug application autod -1 
    FortiGate (global) # diagnose debug enable
    ......
    __action_email_hdl()-181: email action (Action_Email) is called. 
    from:DoNotReply@notification.fortinet.net 
    to:bbai@fortinet.com; 
    subject:CSF stitch alert
    ......
    
  4. 查看该自动化流程的的配置和触发统计。

    FortiGate (global) # diagnose test application autod 2
    csf: disabled   root: no        sync connection: connecting
    version:0 sync time:
    total stitches activated: 4
    stitch: VDOM2_Trigger_Anomaly_Log
            destinations: all
            trigger: Anomaly_Log
                    type:anomaly logs
                    field ids:
                            (id:6)vd=VDOM2
            local hit: 6 relayed to: 0 relayed from: 0
            actions:
                    Action_Email type:email interval:0
                            delay:3 required:yes
                            subject: CSF stitch alert
                            body: %%log%%
                            sender: DoNotReply@notification.fortinet.net
                            mailto:bbai@fortinet.com;
    

Copyright © 2024 Fortinet Inc. All rights reserved. Powered by Fortinet TAC Team.
📲扫描下方二维码分享此页面👇
该页面修订于: 2024-03-14 09:33:25

results matching ""

    No results matching ""