Fortinet Fortigate integration
You can integrate Fortinet Fortigate with Sophos Central so that it sends alerts to Sophos for analysis.
This page gives you an overview of the integration.
Fortinet Fortigate product overview
Fortinet's FortiGate is a next-generation firewall that delivers advanced threat protection and performance optimization. Its integrated platform consolidates various security and networking functions, offering users protection against sophisticated threats.
Sophos documents
What we ingest
Sample alerts seen by Sophos:
Apache.Struts.2.ParametersInterceptor.Remote.Command.Execution
Squirrelly.Template.Engine.Express.Render.API.Code.Injection
Splunk.Enterprise.REST.Information.Disclosure
TinyWebGallery.Lang.File.Inclusion
SIP.Multiple.Single.Value.Required.Header.Field
Alerts ingested in full
We recommend that you configure the following alerts (at severity warning
or higher):
forward-traffic
local-traffic
multicast-traffic
sniffer-traffic
anomaly
traffic
web
url-filter
log-all-url
web-filter-referer-log
Filtering
We filter alerts and logs as follows.
Agent filter
- We ALLOW valid
CEF
. - We DROP traffic logs, and waf passthrough logs.
- We DROP log-only, information, and notice level messages.
- We DROP various wireless device status messages.
Platform filter
- We DROP various Active Directory audit logs.
- We DROP error level messages.
- We DROP various reviewed and non-security related messages and logs.
- We DROP various high-volume and low-value specified messages
Sample threat mappings
{"alertType": "SSL connection is blocked.", "threatId": "T1573", "threatName": "Encrypted Channel"}
{"alertType": "Cerber.Botnet", "threatId": "TA0011", "threatName": "Command and Control"}
{"alertType": "Apache.Log4j.Error.Log.Remote.Code.Execution", "threatId": "T1203", "threatName": "Exploitation for Client Execution"}
{"alertType": "Network.Service: DNS_Dynamic.Update", "threatId": "T1071.004", "threatName": "DNS"}
{"alertType": "Administrator NAME login failed from ssh(IP_ADDRESS) because admin concurrent is disabled", "threatId": "T1078", "threatName": "Valid Accounts"}