Professional Documents
Culture Documents
Version 7.0.0
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
FORTIGUARD LABS
https://www.fortiguard.com
FEEDBACK
Email: techdoc@fortinet.com
11/30/2023
FortiSIEM 7.0.0 Agentless ZTNA with FortiSIEM UEBA and FortiGate
TABLE OF CONTENTS
Change Log 4
Deployment Overview 5
Intended Audience 5
About this Guide 5
Design Concept and Considerations 7
Design for Visibility 7
FortiSIEM UEBA Telemetry 7
Native Windows as UEBA Telemetry 7
Other Infrastructure Logs 8
FortiSIEM Customized Rules 8
Sharing Information with FortiGate 10
Product Pre-requisites 10
Deployment Plan 11
Deployment Procedures 12
Define the FortiSIEM Watch List Groups 12
Import Custom Rules 13
Map Custom Rules 14
Integrate Watch Lists into FortiGate 16
FortiGate Methods to Utilize the Feed 18
Verification 23
Verify Device Added to Watchlist and Threat Feed 23
Configure VIP to Block Access to Critical Assets 26
Verify Access to Critical Assets are Blocked 28
Configure Firewall Policy to Control Access for Devices in the IP Threat Feed 30
Verify Access is Controlled by the 1st Floor ISFW Firewall 33
Configure local-in Policy to Block Access From Devices in the IP Threat Feed 35
Verify Access to the FortiGates are blocked by the local-in Policy 36
Appendix 38
Products Used 38
Documentation Links 38
FortiGate 38
FortiSIEM 38
06/09/2023 Initial version of FortiSIEM UEBA & FortiGate Threat Management Guide
Deployment Overview
This document provides the steps necessary to configure FortiSIEM to provide the FortiGate with IP addresses that have
been associated with suspicious or malicious activity.
Reading the concept guide prior to this document will ensure familiarity of the use case, terminology and methods that
will be implemented.
The deployment expects that the customer has deployed FortiSIEM (either on premise or FortiSIEM Cloud) and a
FortiGate that will consume the FortiSIEM watchlist for network enforcement.
Intended Audience
This guide is primarily created for a technical audience who may be new to configuring FortiSIEM, but familiar with
FortiGate. The scenario can be applied to all size and types of organizations. Networking and security fundamentals are
assumed. While best practices are applied, customization by the administrator will be required to ensure the final
configuration meets a business’ needs.
The deployment guide serves the purpose of going through the design and deployment steps involved in deploying a
specific architecture. Readers should first evaluate their environment to determine whether the architecture and design
outlined in this guide is suitable for them. It is advisable to review the Reference Architecture Guide(s) if readers are still
in the process of selecting the right architecture.
This deployment guide presents one of possibly many ways to deploy the solution. It may also omit specific steps where
readers must make design decisions to further configure their devices. It is recommended that readers also review
supplementary material found in product admin guides and release notes and other documents where appropriate.
The term event or log can be used interchangeably and describes a text log generated by a computer operating system
or application.
For comments and feedback, please visit Agentless ZTNA with FortiSIEM UEBA and FortiGate.
For the most complete visibility of user activity, the deployment of FortiSIEM Agents with UEBA enabled is
recommended. This allows for detailed user activity to be collected without the need to enable any specific Microsoft
Windows auditing.
FortiSIEM Agents can be configured to send information to FortiSIEM even if the workstation is not on the network. This
helps to ensure that there is continued visibility on user activity.
The following diagram illustrates how a user that could roam between on network and off network using FortiSIEM
Agents with optional UEBA feature can continue to send events and telemetry into FortiSIEM.
With the UEBA feature enabled, the agent will capture the key information from 5 areas (user, process, device,
resources and action) that are used within the ML models.
Where an agent cannot be deployed, there are still events that can be collected from the Windows device using an
agentless method such as OMI. However, about 50% of the UEBA ML model will miss necessary data.
A comparison can be found here:
Understanding user behavior does not solely rely on UEBA and ML models. The somewhat more traditional SIEM
correlation rules, as well as specific statistical rules, can improve detection, identify user anomalies and potentially
malicious behavior.
Logs from Windows, Linux and Firewalls that provide network access or authentication should also be sent to FortiSIEM.
To start, configure your FortiGate firewalls to send logs to FortiSIEM by following the steps in the ESCG.
The following out the box rules require modification to define the watchlist. Steps are detailed later.
Failed VPN Logon Detects VPN logon from outside my country. My Country is VPN Source IP ->
From Outside My set to "United States" and may need to be changed if your terminators External Fabric
Country home country is different. and Firewalls Threats
Successful VPN Detects VPN logon from outside my country. My Country is VPN Source IP ->
Logon From set to "United States" and may need to be changed if your terminators External Fabric
Outside My come country is different. and Firewalls Threats
Country
Multiple Logon Detects multiple VPN logon failures - 5 consecutive VPN Source IP ->
Failures: VPN failures in a 10 minute period terminators External Fabric
and Firewalls Threats
Sudden User Detects location change for a user unfeasible in a short VPN Source IP ->
Location Change period of time using the Haversine formula. This may terminators External Fabric
indicate a stolen credential use. and Firewalls Threats
Traffic to Identifies traffic targeting an IP on a the FortiGuard threat Firewalls Source IP ->
FortiGuard Threat feed. Malware Likely,
Feed IP Fabric Threats
The following rules will need to be imported into your FortiSIEM instance.
Host Risk increased to HIGH Detects a device that has FortiSIEM Host IP -> Fabric
moved to high risk. Threats
UEBA AI detects unusual drive Detects unusual drive FortiSIEM Agent UEBA Reporting IP ->
unmounted - Fabric unmounted by a user Fabric Threats
UEBA AI detects unusual file Detects unusual file FortiSIEM Agent UEBA, Reporting IP ->
deletion - Fabric deletion by a user Windows Security Event Log. Fabric Threats
UEBA AI detects unusual file Detects unusual file FortiSIEM Agent UEBA Reporting IP ->
download - Fabric download by a user Fabric Threats
UEBA AI detects unusual file Detects unusual file FortiSIEM Agent UEBA Reporting IP ->
movement - Fabric movement by a user Fabric Threats
UEBA AI detects unusual file Detects unusual file printed FortiSIEM Agent UEBA Reporting IP ->
printed - Fabric by a user Fabric Threats
UEBA AI detects unusual file Detects unusual file FortiSIEM Agent UEBA Reporting IP ->
reading - Fabric reading by a user Fabric Threats
UEBA AI detects unusual file Detects unusual file FortiSIEM Agent UEBA Reporting IP ->
renamed - Fabric renamed by a user Fabric Threats
UEBA AI detects unusual file Detects unusual file upload FortiSIEM Agent UEBA Reporting IP ->
upload - Fabric by a user Fabric Threats
UEBA AI detects unusual file Detects unusual file writing FortiSIEM Agent UEBA Reporting IP ->
writing - Fabric by a user Fabric Threats
UEBA AI detects unusual host Detects unusual windows FortiSIEM Agent UEBA, Reporting IP ->
logon - Fabric logon Windows Security Event Log. Fabric Threats
UEBA AI detects unusual new Detects unusual new drive FortiSIEM Agent UEBA Reporting IP ->
drive mounted - Fabric mounted by a user Fabric Threats
UEBA AI detects unusual Detects unusual process FortiSIEM Agent UEBA, Reporting IP ->
process created - Fabric started by a user Windows Security Event Log. Fabric Threats
UEBA AI detects unusual Detects unusual process FortiSIEM Agent UEBA, Reporting IP ->
process started - Fabric started by a user Windows Security Event Log. Fabric Threats
UEBA AI detects unusual user Detects unusual user logoff FortiSIEM Agent UEBA, Reporting IP ->
logoff - Fabric Windows Security Event Log. Fabric Threats
FortiGate will use a Security Fabric Threat Feed Integration to connect to FortiSIEM using watchlist API to pull back the
list of IP addresses.
The IP addresses can then be used in a number of scenarios that include:
l Apply threat feed as source in firewall policy to deny access to VIP.
l Apply threat feed as source in a local-in policy to deny IKE/SSL/HTTPS or any administrative access destined to the
FortiGate WAN interface.
l Apply threat feed as source SSL VPN or IPsec VPN based firewall policy.
Product Pre-requisites
Deployment Plan
Deployment Procedures
The validity of one and two weeks can be configured to be longer or shorter, depending on how transient the IP is likely to
be. For example, there may be little value keeping a DHCP assigned IP in the watchlists for longer than 1 week as it may
have been assigned to another host.
General steps to configure watchlists can be found here.
To create the External Fabric Threats Watch List Group, take the following steps from the FortiSIEM GUI.
1. Navigate to RESOURCES > Watch Lists.
2. In the left pane, click the + icon to create a new watch list group.
3. From the Create New Watch List Group windows, take the following steps:
a. In the Group field, enter "External Fabric Threats".
b. From the Type drop-down list, select IP.
c. In the Expired in # Week(s) field, enter/select 2.
d. Click Save.
To create the Fabric Threats Watch List Group, take the following steps from the FortiSIEM GUI.
1. Navigate to RESOURCES > Watch Lists.
2. In the left pane, click the + icon to create a new watch list group.
3. From the Create New Watch List Group windows, take the following steps:
a. In the Group field, enter "Fabric Threats".
b. From the Type drop-down list, select IP.
c. In the Expired in # Week(s) field, enter/select 1.
d. Click Save.
The custom rules are contained in two files, High_Risk_Device.xml and UEBA_Fabric.xml.
Download links:
l High_Risk_Device.xml
l UEBA_Fabric.xml.
To import these two customized rule sets, take the following steps:
Import High_Risk_Device.xml Rule
1. Navigate to RESOURCES > Rule > Security.
2. Click Import, and select the High_Risk_Device.xml file, and click Import.
The FortiSIEM rules that have been imported as well as the existing rules need to be mapped to the custom watchlists
group defined in the earlier step.
For each of the rules defined in FortiSIEM Customized Rules, customization of the watch list is needed. Follow these
general steps to ensure the watch lists are mapped to the new watchlists.
1. Ensure RESOURCES > Rules is selected.
2. In the search field, enter the rule you wish to edit. When it appears, select it.
3. Click Edit, and select Selected Rule.
4. Click Step 3: Define Action.
5. Clear the Watch List field, if an entry exists by clicking on the Trash icon.
6. From the Watch List row, click the Edit icon.
7. From the Available Watch List column, select the appropriate watch list (use the Attribute map to Watchlist
column from the FortiSIEM Customized Rules table to identify which watch list to assign), and click the > button to
move it to the Selected column.
8. Click Save.
9. Click Save.
10. Confirm that the rule is enabled by verifying that the Active checkbox is checked.
Here is one specific example, using the rule “Failed VPN Logon From Outside My Country”.
9. Click Save.
10. Confirm that the rule is enabled by verifying that the Active checkbox is checked.
An example integration of configuring FortiGate to pull events from the “External Fabric Threats” watchlist is provided
here.
1. In the FortiGate, navigate to Security Fabric > External Connectors.
2. Click Create New.
3. Under the Threat Feeds section, select IP Address.
4. Input the fields for the IP Address Threat Feed
a. In the Name field, enter a name, for example "FSM_Threat_Feed".
Note: It must begin with “g-“ if the FortiGate is in multi-vdom mode, for example "g-FSM_Threat_Feed".
b. Set Update method to External Feed. This method pulls the updates from the external feed at a configured
interval.
c. Enter the appropriate URL for one of the watchlist groups (External Fabric Threats or Fabric Threats), in the
format of:
l https://<ip of
FortiSIEM>:<port>/phoenix/rest/watchlist/ip?name=External%20Fabric%20Threats
OR
l https://<ip of
FortiSIEM>:<port>/phoenix/rest/watchlist/ip?name=Fabric%20Threats
d. Enable HTTP basic authentication.
e. In the Username field, enter “super/<username>”. In the Password field, enter the password associated with
the account.
Note: If using a multi-tenant version of FortiSIEM you can change the org “super” for the organization name
that you need to integrate with.
f. (Optional) In the Refresh Rate field, increase/decrease the refresh rate as needed.
g. Click OK.
5. Once created, double-click on the new feed on the list page to open the Threat feed once again. On the right gutter
area, Connection Status should now display a green arrow. Click on View Entries to display the entries received
from FortiSIEM.
There are various methods in which administrators can apply access control based on the IP Threat Feed that is
synchronized from FortiSIEM. Below are examples of several methods.
Method 1: Apply threat feed as source in firewall policy to deny access to VIP
Applies to: On-net and Off-net users and devices
This assumes that FortiGate has various protected servers exposed to the Internet or on the internal network via a VIP.
To block access from risky devices, set the policy source to the IP threat feed (FSM_Threat_Feed).
Note: For the Off-net use case, the IP threat feed must contain public IPs that should be blacklisted.
Note: When firewalls are configured in a security fabric, the IP threat feed does not get synchronized from the root
FortiGate. Therefore, an IP threat feed must be configured on each FortiGate that is configured as a ISFW.
Method 3: Apply threat feed as source in a local-in policy to deny IKE/SSL/HTTPS or any administrative access
destined to the FortiGate WAN or internal interface.
Applies to: On-net and Off-net users and devices
This can block new VPN connections based on source IP via IKE, HTTPS (443) or custom SSL VPN port. This will also
block existing tunnel connections, since this is blocking at the packet/protocol level.
Blocking local-in traffic can also prevent rogue employees from accessing the FortiGate firewall itself.
See https://docs.fortinet.com/document/fortigate/7.2.99/administration-guide/363127/local-in-policy
Note: For the Off-net use case, the IP threat feed must contain public IPs for this to work.
Method 4: Apply threat feed as source on a SSL VPN or IPsec VPN based firewall policy.
Applies to: Off-net Dialup IPsec VPN users or SSL VPN users
This method assumes an endpoint is connected to the FortiGate for VPN already. The user/device behavior triggers the
risk threshold to be exceeded on FortiSIEM, and consequently triggers its VPN address to be added to the watchlist.
The above policy allows traffic from any users that is NOT in the IP-threat-VPN-IPs feed. This method can block a device
based on the IP assigned by FortiGate via SSL VPN or IPsec VPN.
Example source IP pool for SSL VPN:
Note: The FortiSIEM watchlist needs to filter for only events that produce the SSL VPN or IPsec VPN IP address
assigned by the FortiGate.
ZTNA tags will not be used for security posture check. However, the threat feed can be used as source in the firewall
policy.
The following policy allows traffic sourced from all IPs except for those in the FSM_Threat_Feed.
Verification
In the following example, an on-net user logs to the FortiSIEM Cloud. Certain actions trigger FortiSIEM rules and UEBA
AI detection. Consequently, the user’s device IP (10.100.91.100) gets added to the FortiSIEM’s Fabric Threats watchlist.
This list is synchronized to the Enterprise Core and 1st Floor FortiGates as an IP threat feed. Each FortiGate applies
different methods to control access using the IP threat feed. As a result, the suspicious user is denied access to
protected resources and the FortiGates themselves.
To verify that a device has been added to the Watchlist and Threat Feed, take the following steps.
1. On FortiSIEM, verify an incident has been triggered by navigating to INCIDENTS, and checking for active incidents.
2. Verify the user’s device IP has been added to the corresponding watchlist by navigating to Resources > Watch
Lists > Fabric Threats or Resources > Watch Lists > External Fabric Threats.
3. On both Enterprise Core and 1st Floor FortiGates, verify that the FSM_Threat_Feed has been populated with the
IP of the offending device.
On Enterprise Core, configure VIPs to Critical Assets, but block traffic coming from devices on the IP Threat Feed (FSM_
Threat_Feed) by taking the following steps.
1. Navigate to Policy & Objects > Virtual IPs.
2. Click Create New.
3. Configure settings for forwarding to Web server 1 and Web server 2.
4. Click OK to save.
8. Click OK to save.
9. Create a new policy below the previous policy for allowing traffic to Webservers.
From the client computer, try accessing Web server 1 on the browser. The page cannot be loaded.
From the Enterprise Core FortiGate, view the Forward Traffic log from Log & Report, or retrieve the logs from the CLI.
On the 1st Floor ISFW FortiGate, configure firewall policies that block traffic coming from devices on the IP Threat Feed
(FSM_Threat_Feed). Also configure Internet access using restrictive web filters and application control for devices on
the IP Threat Feed.
1. On the 1st floor FortiGate, navigate to Policy & Objects > Firewall Policy.
2. Click Create New.
3. Configure settings for blocking traffic to Fabric Devices if the source is in the g-FSM_Threat_Feed list.
4. Click OK. Ensure this policy is above more general ACCEPT policies.
5. Navigate to Security Profiles > Application Control.
6. Create a strict-appctrl profile that blocks all categories except for a few categories which are monitored.
9. Create a new firewall policy. Allow traffic if source is in the g-FSM_Threat_Feed list, but apply a strict web filter
and application control profile.
10. Click OK. Ensure this policy is above more general ACCEPT policies.
From the client computer, try accessing FortiAnalyzer (10.100.88.2) on the browser. The page cannot be loaded.
Try to browse to a Job Search website. The page is blocked by FortiGuard web filtering.
On both the Enterprise Core and 1st Floor ISFW FortiGates, configure local-in policies that block access from devices on
the IP Threat Feed (FSM_Threat_Feed). Packets arriving on the interface will be dropped and logged.
1. On the Enterprise Core FortiGate’s CLI, configure the following rule:
config firewall local-in-policy
edit 1
set intf "port3"
set srcaddr "FSM_Threat_Feed"
set dstaddr "all"
set service "ALL"
set schedule "always"
next
end
From the client computer, try accessing the 1st Floor FortiGate (10.100.88.101) on the browser. The page cannot be
loaded.
Sniff for packets from the client:
# diag sniffer packet any 'host 10.100.91.100 and port 443' 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[host 10.100.91.100 and port 443]
2023-05-25 22:24:57.463149 port3 in 10.100.91.100.5013 -> 10.100.88.101.443: syn 1024673119
2023-05-25 22:24:57.714817 port3 in 10.100.91.100.5014 -> 10.100.88.101.443: syn 674054329
2023-05-25 22:25:00.464681 port3 in 10.100.91.100.5013 -> 10.100.88.101.443: syn 1024673119
2023-05-25 22:25:00.718445 port3 in 10.100.91.100.5014 -> 10.100.88.101.443: syn 674054329
View the Local Traffic log from Log & Report, or retrieve the logs from the CLI.
Appendix
l Products Used
l Documentation Links
Products Used
The following product models and firmware were used in this guide.
Documentation Links
FortiGate
https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/891236
Local-in Policy
https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/363127/local-in-policy
FortiSIEM
Copyright© 2023 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.