FortiSIEM

Agentless ZTNA with FortiSIEM UEBA and FortiGate

Version 7.0.0
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO LIBRARY

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/training-certification

FORTINET TRAINING INSTITUTE

https://training.fortinet.com

FORTIGUARD LABS
https://www.fortiguard.com

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: techdoc@fortinet.com

11/30/2023
FortiSIEM 7.0.0 Agentless ZTNA with FortiSIEM UEBA and FortiGate
 TABLE OF CONTENTS

Change Log 4
Deployment Overview 5
Intended Audience 5
About this Guide 5
Design Concept and Considerations 7
Design for Visibility 7
FortiSIEM UEBA Telemetry 7
Native Windows as UEBA Telemetry 7
Other Infrastructure Logs 8
FortiSIEM Customized Rules 8
Sharing Information with FortiGate 10
Product Pre-requisites 10
Deployment Plan 11
Deployment Procedures 12
Define the FortiSIEM Watch List Groups 12
Import Custom Rules 13
Map Custom Rules 14
Integrate Watch Lists into FortiGate 16
FortiGate Methods to Utilize the Feed 18
Verification 23
Verify Device Added to Watchlist and Threat Feed 23
Configure VIP to Block Access to Critical Assets 26
Verify Access to Critical Assets are Blocked 28
Configure Firewall Policy to Control Access for Devices in the IP Threat Feed 30
Verify Access is Controlled by the 1st Floor ISFW Firewall 33
Configure local-in Policy to Block Access From Devices in the IP Threat Feed 35
Verify Access to the FortiGates are blocked by the local-in Policy 36
Appendix 38
Products Used 38
Documentation Links 38
FortiGate 38
FortiSIEM 38

FortiSIEM 7.0.0 Agentless ZTNA with FortiSIEM UEBA and FortiGate 3

Fortinet Inc.
Change Log

Date Change Description

06/09/2023 Initial version of FortiSIEM UEBA & FortiGate Threat Management Guide

06/19/2023 Renamed to Agentless ZTNA with FortiSIEM and FortiGate.

07/11/2023 Renamed to Agentless ZTNA with FortiSIEM UEBA and FortiGate.

FortiSIEM 7.0.0 Agentless ZTNA with FortiSIEM UEBA and FortiGate 4

Fortinet Inc.
Deployment Overview

Deployment Overview

This document provides the steps necessary to configure FortiSIEM to provide the FortiGate with IP addresses that have
been associated with suspicious or malicious activity.
Reading the concept guide prior to this document will ensure familiarity of the use case, terminology and methods that
will be implemented.
The deployment expects that the customer has deployed FortiSIEM (either on premise or FortiSIEM Cloud) and a
FortiGate that will consume the FortiSIEM watchlist for network enforcement.

Intended Audience

This guide is primarily created for a technical audience who may be new to configuring FortiSIEM, but familiar with
FortiGate. The scenario can be applied to all size and types of organizations. Networking and security fundamentals are
assumed. While best practices are applied, customization by the administrator will be required to ensure the final
configuration meets a business’ needs.

About this Guide

The deployment guide serves the purpose of going through the design and deployment steps involved in deploying a
specific architecture. Readers should first evaluate their environment to determine whether the architecture and design
outlined in this guide is suitable for them. It is advisable to review the Reference Architecture Guide(s) if readers are still
in the process of selecting the right architecture.
This deployment guide presents one of possibly many ways to deploy the solution. It may also omit specific steps where
readers must make design decisions to further configure their devices. It is recommended that readers also review
supplementary material found in product admin guides and release notes and other documents where appropriate.

FortiSIEM 7.0.0 Agentless ZTNA with FortiSIEM UEBA and FortiGate 5

Fortinet Inc.
Deployment Overview

The term event or log can be used interchangeably and describes a text log generated by a computer operating system
or application.
For comments and feedback, please visit Agentless ZTNA with FortiSIEM UEBA and FortiGate.

FortiSIEM 7.0.0 Agentless ZTNA with FortiSIEM UEBA and FortiGate 6

Fortinet Inc.
 Design Concept and Considerations

Design Concept and Considerations

Design for Visibility

Consider the following in your design process.

l FortiSIEM UEBA Telemetry
l Native Windows as UEBA Telemetry
l Other Infrastructure Logs
l FortiSIEM Customized Rules
l Sharing Information with FortiGate

FortiSIEM UEBA Telemetry

For the most complete visibility of user activity, the deployment of FortiSIEM Agents with UEBA enabled is
recommended. This allows for detailed user activity to be collected without the need to enable any specific Microsoft
Windows auditing.
FortiSIEM Agents can be configured to send information to FortiSIEM even if the workstation is not on the network. This
helps to ensure that there is continued visibility on user activity.
The following diagram illustrates how a user that could roam between on network and off network using FortiSIEM
Agents with optional UEBA feature can continue to send events and telemetry into FortiSIEM.

With the UEBA feature enabled, the agent will capture the key information from 5 areas (user, process, device,
resources and action) that are used within the ML models.

Native Windows as UEBA Telemetry

Where an agent cannot be deployed, there are still events that can be collected from the Windows device using an
agentless method such as OMI. However, about 50% of the UEBA ML model will miss necessary data.
A comparison can be found here:

FortiSIEM 7.0.0 Agentless ZTNA with FortiSIEM UEBA and FortiGate 7

Fortinet Inc.
 Design Concept and Considerations

• Example UEBA events

• UEBA ML models and required event sources
Installing and configuring the FortiSIEM Windows Agent is available here and agentless monitoring of Windows is
described in the External Systems Configuration Guide (ESCG).

Other Infrastructure Logs

Understanding user behavior does not solely rely on UEBA and ML models. The somewhat more traditional SIEM
correlation rules, as well as specific statistical rules, can improve detection, identify user anomalies and potentially
malicious behavior.
Logs from Windows, Linux and Firewalls that provide network access or authentication should also be sent to FortiSIEM.
To start, configure your FortiGate firewalls to send logs to FortiSIEM by following the steps in the ESCG.

FortiSIEM Customized Rules

The following out the box rules require modification to define the watchlist. Steps are detailed later.

FSM Rules Description Source Attribute map

Devices to Watchlist

Failed VPN Logon Detects VPN logon from outside my country. My Country is VPN Source IP ->
From Outside My set to "United States" and may need to be changed if your terminators External Fabric
Country home country is different. and Firewalls Threats

Successful VPN Detects VPN logon from outside my country. My Country is VPN Source IP ->
Logon From set to "United States" and may need to be changed if your terminators External Fabric
Outside My come country is different. and Firewalls Threats
Country

Multiple Logon Detects multiple VPN logon failures - 5 consecutive VPN Source IP ->
Failures: VPN failures in a 10 minute period terminators External Fabric
and Firewalls Threats

Sudden User Detects location change for a user unfeasible in a short VPN Source IP ->
Location Change period of time using the Haversine formula. This may terminators External Fabric
indicate a stolen credential use. and Firewalls Threats

Traffic to Identifies traffic targeting an IP on a the FortiGuard threat Firewalls Source IP ->
FortiGuard Threat feed. Malware Likely,
Feed IP Fabric Threats

The following rules will need to be imported into your FortiSIEM instance.

FortiSIEM 7.0.0 Agentless ZTNA with FortiSIEM UEBA and FortiGate 8

Fortinet Inc.
Design Concept and Considerations

FSM Rules Description Source Devices Attribute map

to Watchlist

Host Risk increased to HIGH Detects a device that has FortiSIEM Host IP -> Fabric
moved to high risk. Threats

UEBA AI detects unusual drive Detects unusual drive FortiSIEM Agent UEBA Reporting IP ->
unmounted - Fabric unmounted by a user Fabric Threats

UEBA AI detects unusual file Detects unusual file FortiSIEM Agent UEBA, Reporting IP ->
deletion - Fabric deletion by a user Windows Security Event Log. Fabric Threats

UEBA AI detects unusual file Detects unusual file FortiSIEM Agent UEBA Reporting IP ->
download - Fabric download by a user Fabric Threats

UEBA AI detects unusual file Detects unusual file FortiSIEM Agent UEBA Reporting IP ->
movement - Fabric movement by a user Fabric Threats

UEBA AI detects unusual file Detects unusual file printed FortiSIEM Agent UEBA Reporting IP ->
printed - Fabric by a user Fabric Threats

UEBA AI detects unusual file Detects unusual file FortiSIEM Agent UEBA Reporting IP ->
reading - Fabric reading by a user Fabric Threats

UEBA AI detects unusual file Detects unusual file FortiSIEM Agent UEBA Reporting IP ->
renamed - Fabric renamed by a user Fabric Threats

UEBA AI detects unusual file Detects unusual file upload FortiSIEM Agent UEBA Reporting IP ->
upload - Fabric by a user Fabric Threats

UEBA AI detects unusual file Detects unusual file writing FortiSIEM Agent UEBA Reporting IP ->
writing - Fabric by a user Fabric Threats

UEBA AI detects unusual host Detects unusual windows FortiSIEM Agent UEBA, Reporting IP ->
logon - Fabric logon Windows Security Event Log. Fabric Threats

UEBA AI detects unusual new Detects unusual new drive FortiSIEM Agent UEBA Reporting IP ->
drive mounted - Fabric mounted by a user Fabric Threats

UEBA AI detects unusual Detects unusual process FortiSIEM Agent UEBA, Reporting IP ->
process created - Fabric started by a user Windows Security Event Log. Fabric Threats

UEBA AI detects unusual Detects unusual process FortiSIEM Agent UEBA, Reporting IP ->
process started - Fabric started by a user Windows Security Event Log. Fabric Threats

UEBA AI detects unusual user Detects unusual user logoff FortiSIEM Agent UEBA, Reporting IP ->
logoff - Fabric Windows Security Event Log. Fabric Threats

FortiSIEM 7.0.0 Agentless ZTNA with FortiSIEM UEBA and FortiGate 9

Fortinet Inc.
 Design Concept and Considerations

Sharing Information with FortiGate

FortiGate will use a Security Fabric Threat Feed Integration to connect to FortiSIEM using watchlist API to pull back the
list of IP addresses.
The IP addresses can then be used in a number of scenarios that include:
l Apply threat feed as source in firewall policy to deny access to VIP.
l Apply threat feed as source in a local-in policy to deny IKE/SSL/HTTPS or any administrative access destined to the
FortiGate WAN interface.
l Apply threat feed as source SSL VPN or IPsec VPN based firewall policy.

Product Pre-requisites

l FortiSIEM UEBA events via the FortiSIEM Agent is a licensed capability.

l FortiSIEM 6.6.0 or greater is required.
l FortiSIEM FortiGuard IOC subscription will be required for “Traffic to FortiGuard Threat Feed” to detect threats.

FortiSIEM 7.0.0 Agentless ZTNA with FortiSIEM UEBA and FortiGate 10

Fortinet Inc.
Deployment Plan

Deployment Plan

The high-level deployment plan is as follows:

1. FortiSIEM – Install FortiSIEM Agents and enable UEBA where licensed. Specific steps to deploy and enable can be
found in the Windows Agent Installation Guide.
2. FortiSIEM - Define IP watchlist.
3. FortiSIEM - Import the custom rules.
4. FortiSIEM - Customize the rules to reference the watchlists.
5. FortiGate - Configure the FortiGate to collect the IPs from the Fabric watchlists.
6. FortiGate – Configure use case for FortiGate consumption of the IP Address Threat Feed.

FortiSIEM 7.0.0 Agentless ZTNA with FortiSIEM UEBA and FortiGate 11

Fortinet Inc.
Deployment Procedures

Deployment Procedures

l Define the FortiSIEM Watch Lists Groups

l Import Custom Rules
l Map Custom Rules
l Integrate Watch Lists into FortiGate
l FortiGate Methods to Utilize the Feed

Define the FortiSIEM Watch List Groups

This deployment requires creating two watch list groups:

1. “External Fabric Threats” of type IP and validity of 2 weeks
2. “Fabric Threats” of type IP and validity of 1 weeks

The validity of one and two weeks can be configured to be longer or shorter, depending on how transient the IP is likely to
be. For example, there may be little value keeping a DHCP assigned IP in the watchlists for longer than 1 week as it may
have been assigned to another host.
General steps to configure watchlists can be found here.

To create the External Fabric Threats Watch List Group, take the following steps from the FortiSIEM GUI.
1. Navigate to RESOURCES > Watch Lists.
2. In the left pane, click the + icon to create a new watch list group.
3. From the Create New Watch List Group windows, take the following steps:
a. In the Group field, enter "External Fabric Threats".
b. From the Type drop-down list, select IP.
c. In the Expired in # Week(s) field, enter/select 2.

FortiSIEM 7.0.0 Agentless ZTNA with FortiSIEM UEBA and FortiGate 12

Fortinet Inc.
Deployment Procedures

d. Click Save.

To create the Fabric Threats Watch List Group, take the following steps from the FortiSIEM GUI.
1. Navigate to RESOURCES > Watch Lists.
2. In the left pane, click the + icon to create a new watch list group.
3. From the Create New Watch List Group windows, take the following steps:
a. In the Group field, enter "Fabric Threats".
b. From the Type drop-down list, select IP.
c. In the Expired in # Week(s) field, enter/select 1.
d. Click Save.

Import Custom Rules

The custom rules are contained in two files, High_Risk_Device.xml and UEBA_Fabric.xml.
Download links:

FortiSIEM 7.0.0 Agentless ZTNA with FortiSIEM UEBA and FortiGate 13

Fortinet Inc.
Deployment Procedures

l High_Risk_Device.xml
l UEBA_Fabric.xml.

To import these two customized rule sets, take the following steps:
Import High_Risk_Device.xml Rule
1. Navigate to RESOURCES > Rule > Security.
2. Click Import, and select the High_Risk_Device.xml file, and click Import.

Import UEBA_Fabric.xml Rule

1. Navigate to RESOURCES > Rules > Security > UEBA.
2. In the upper part of the left pane, click the + icon to create a new folder/group.
3. In the Group field, enter "Fabric".
4. IClick Save.
5. Navigate to RESOURCES > Rules > Security > UEBA > Fabric, which is your newly created folder/group.
6. Click Import, and select the UEBA_Fabric.xml file, and click Import.

Map Custom Rules

The FortiSIEM rules that have been imported as well as the existing rules need to be mapped to the custom watchlists
group defined in the earlier step.
For each of the rules defined in FortiSIEM Customized Rules, customization of the watch list is needed. Follow these
general steps to ensure the watch lists are mapped to the new watchlists.
1. Ensure RESOURCES > Rules is selected.
2. In the search field, enter the rule you wish to edit. When it appears, select it.
3. Click Edit, and select Selected Rule.
4. Click Step 3: Define Action.
5. Clear the Watch List field, if an entry exists by clicking on the Trash icon.
6. From the Watch List row, click the Edit icon.
7. From the Available Watch List column, select the appropriate watch list (use the Attribute map to Watchlist
column from the FortiSIEM Customized Rules table to identify which watch list to assign), and click the > button to
move it to the Selected column.
8. Click Save.
9. Click Save.
10. Confirm that the rule is enabled by verifying that the Active checkbox is checked.

Here is one specific example, using the rule “Failed VPN Logon From Outside My Country”.

FortiSIEM 7.0.0 Agentless ZTNA with FortiSIEM UEBA and FortiGate 14

Fortinet Inc.
Deployment Procedures

1. Navigate to RESOURCES > Rules.

2. In the search field, enter "Failed VPN Logon from outside"
3. Click Edit, and select Selected Rule.
4. Click Step 3: Define Action.
5. Click the Edit icon.
6. From the Available Watch List column, select External Fabric Threats.
7. Click the > button to move it to the Selected column.
8. Click Save.

9. Click Save.
10. Confirm that the rule is enabled by verifying that the Active checkbox is checked.

FortiSIEM 7.0.0 Agentless ZTNA with FortiSIEM UEBA and FortiGate 15

Fortinet Inc.
Deployment Procedures

Integrate Watch Lists into FortiGate

There are two steps to this process:

1. Identify the endpoint API that FortiGate will connect to.
2. Configure the Security Fabric Threat Feed Integration

An example integration of configuring FortiGate to pull events from the “External Fabric Threats” watchlist is provided
here.
1. In the FortiGate, navigate to Security Fabric > External Connectors.
2. Click Create New.
3. Under the Threat Feeds section, select IP Address.
4. Input the fields for the IP Address Threat Feed
a. In the Name field, enter a name, for example "FSM_Threat_Feed".
Note: It must begin with “g-“ if the FortiGate is in multi-vdom mode, for example "g-FSM_Threat_Feed".
b. Set Update method to External Feed. This method pulls the updates from the external feed at a configured
interval.
c. Enter the appropriate URL for one of the watchlist groups (External Fabric Threats or Fabric Threats), in the
format of:
l https://<ip of
FortiSIEM>:<port>/phoenix/rest/watchlist/ip?name=External%20Fabric%20Threats
OR
l https://<ip of
FortiSIEM>:<port>/phoenix/rest/watchlist/ip?name=Fabric%20Threats
d. Enable HTTP basic authentication.
e. In the Username field, enter “super/<username>”. In the Password field, enter the password associated with
the account.
Note: If using a multi-tenant version of FortiSIEM you can change the org “super” for the organization name
that you need to integrate with.
f. (Optional) In the Refresh Rate field, increase/decrease the refresh rate as needed.

FortiSIEM 7.0.0 Agentless ZTNA with FortiSIEM UEBA and FortiGate 16

Fortinet Inc.
Deployment Procedures

g. Click OK.

5. Once created, double-click on the new feed on the list page to open the Threat feed once again. On the right gutter
area, Connection Status should now display a green arrow. Click on View Entries to display the entries received
from FortiSIEM.

FortiSIEM 7.0.0 Agentless ZTNA with FortiSIEM UEBA and FortiGate 17

Fortinet Inc.
Deployment Procedures

FortiGate Methods to Utilize the Feed

There are various methods in which administrators can apply access control based on the IP Threat Feed that is
synchronized from FortiSIEM. Below are examples of several methods.

Method 1: Apply threat feed as source in firewall policy to deny access to VIP
Applies to: On-net and Off-net users and devices
This assumes that FortiGate has various protected servers exposed to the Internet or on the internal network via a VIP.
To block access from risky devices, set the policy source to the IP threat feed (FSM_Threat_Feed).

FortiSIEM 7.0.0 Agentless ZTNA with FortiSIEM UEBA and FortiGate 18

Fortinet Inc.
Deployment Procedures

Note: For the Off-net use case, the IP threat feed must contain public IPs that should be blacklisted.

Method 2: Apply threat feed as source in a regular firewall policy

Applies to: On-net users and devices
When users are on-net and have access to protected servers without going through VIPs, the corresponding ISFW
(Internal Segmentation Firewall) can block traffic from devices in the IP threat feed.

Note: When firewalls are configured in a security fabric, the IP threat feed does not get synchronized from the root
FortiGate. Therefore, an IP threat feed must be configured on each FortiGate that is configured as a ISFW.

Method 3: Apply threat feed as source in a local-in policy to deny IKE/SSL/HTTPS or any administrative access
destined to the FortiGate WAN or internal interface.
Applies to: On-net and Off-net users and devices

config firewall local-in-policy

edit 1
set intf "port1"
set srcaddr "FSM_Threat_Feed" // name of threat feed
set dstaddr "all"
set service "IKE" // service(s) to block

FortiSIEM 7.0.0 Agentless ZTNA with FortiSIEM UEBA and FortiGate 19

Fortinet Inc.
Deployment Procedures

set schedule "always"

next
end

This can block new VPN connections based on source IP via IKE, HTTPS (443) or custom SSL VPN port. This will also
block existing tunnel connections, since this is blocking at the packet/protocol level.
Blocking local-in traffic can also prevent rogue employees from accessing the FortiGate firewall itself.
See https://docs.fortinet.com/document/fortigate/7.2.99/administration-guide/363127/local-in-policy
Note: For the Off-net use case, the IP threat feed must contain public IPs for this to work.

Method 4: Apply threat feed as source on a SSL VPN or IPsec VPN based firewall policy.
Applies to: Off-net Dialup IPsec VPN users or SSL VPN users
This method assumes an endpoint is connected to the FortiGate for VPN already. The user/device behavior triggers the
risk threshold to be exceeded on FortiSIEM, and consequently triggers its VPN address to be added to the watchlist.

The above policy allows traffic from any users that is NOT in the IP-threat-VPN-IPs feed. This method can block a device
based on the IP assigned by FortiGate via SSL VPN or IPsec VPN.
Example source IP pool for SSL VPN:

FortiSIEM 7.0.0 Agentless ZTNA with FortiSIEM UEBA and FortiGate 20

Fortinet Inc.
Deployment Procedures

Note: The FortiSIEM watchlist needs to filter for only events that produce the SSL VPN or IPsec VPN IP address
assigned by the FortiGate.

Method 5: Apply threat feed as source on a ZTNA policy.

Applies to: Off-net users
This method assumes the remote device connects to protected resources behind the FortiGate via its ZTNA application
gateway. In an agentless use case, FortiClient is not installed on the endpoint and the FortiGate must disable verification
of device certificate.

config firewall access-proxy

edit "ZTNA-access"
set vip "ZTNA-access"
set client-cert disable
next
end

ZTNA tags will not be used for security posture check. However, the threat feed can be used as source in the firewall
policy.
The following policy allows traffic sourced from all IPs except for those in the FSM_Threat_Feed.

FortiSIEM 7.0.0 Agentless ZTNA with FortiSIEM UEBA and FortiGate 21

Fortinet Inc.
Deployment Procedures

config firewall proxy-policy

edit 1
set name "ZTNA-Rule"
set proxy access-proxy
set access-proxy "86-FortiGate"
set srcintf "port1"
set srcaddr "FSM_Threat_Feed"
set dstaddr "all"
set srcaddr-negate enable
set action accept
set schedule "always"
set groups "Remote-Rad"
next
end

FortiSIEM 7.0.0 Agentless ZTNA with FortiSIEM UEBA and FortiGate 22

Fortinet Inc.
Verification

Verification

In the following example, an on-net user logs to the FortiSIEM Cloud. Certain actions trigger FortiSIEM rules and UEBA
AI detection. Consequently, the user’s device IP (10.100.91.100) gets added to the FortiSIEM’s Fabric Threats watchlist.
This list is synchronized to the Enterprise Core and 1st Floor FortiGates as an IP threat feed. Each FortiGate applies
different methods to control access using the IP threat feed. As a result, the suspicious user is denied access to
protected resources and the FortiGates themselves.

Verify Device Added to Watchlist and Threat Feed

To verify that a device has been added to the Watchlist and Threat Feed, take the following steps.

FortiSIEM 7.0.0 Agentless ZTNA with FortiSIEM UEBA and FortiGate 23

Fortinet Inc.
Verification

1. On FortiSIEM, verify an incident has been triggered by navigating to INCIDENTS, and checking for active incidents.

2. Verify the user’s device IP has been added to the corresponding watchlist by navigating to Resources > Watch
Lists > Fabric Threats or Resources > Watch Lists > External Fabric Threats.

FortiSIEM 7.0.0 Agentless ZTNA with FortiSIEM UEBA and FortiGate 24

Fortinet Inc.
Verification

3. On both Enterprise Core and 1st Floor FortiGates, verify that the FSM_Threat_Feed has been populated with the
IP of the offending device.

FortiSIEM 7.0.0 Agentless ZTNA with FortiSIEM UEBA and FortiGate 25

Fortinet Inc.
Verification

Configure VIP to Block Access to Critical Assets

On Enterprise Core, configure VIPs to Critical Assets, but block traffic coming from devices on the IP Threat Feed (FSM_
Threat_Feed) by taking the following steps.
1. Navigate to Policy & Objects > Virtual IPs.
2. Click Create New.
3. Configure settings for forwarding to Web server 1 and Web server 2.
4. Click OK to save.

FortiSIEM 7.0.0 Agentless ZTNA with FortiSIEM UEBA and FortiGate 26

Fortinet Inc.
Verification

5. Navigate to Policy & Objects > Firewall Policy.

6. Click Create New.
7. Configure settings for blocking traffic to Webservers if the source is in the FSM_Threat_Feed.

8. Click OK to save.
9. Create a new policy below the previous policy for allowing traffic to Webservers.

FortiSIEM 7.0.0 Agentless ZTNA with FortiSIEM UEBA and FortiGate 27

Fortinet Inc.
Verification

10. Click OK to save.

Verify Access to Critical Assets are Blocked

From the client computer, try accessing Web server 1 on the browser. The page cannot be loaded.

FortiSIEM 7.0.0 Agentless ZTNA with FortiSIEM UEBA and FortiGate 28

Fortinet Inc.
Verification

From the Enterprise Core FortiGate, view the Forward Traffic log from Log & Report, or retrieve the logs from the CLI.

# execute log filter device 1

# execute log filter field srcip 10.100.91.100
# execute log display

FortiSIEM 7.0.0 Agentless ZTNA with FortiSIEM UEBA and FortiGate 29

Fortinet Inc.
Verification

523 logs found.

10 logs returned.
2.0% of logs has been searched.
1: date=2023-05-25 time=07:45:16 eventtime=1685000716783695562 tz="+0000" logid="0000000013"
type="traffic" subtype="forward" level="notice" vd="root" srcip=10.100.91.100 srcport=52937
srcintf="port3" srcintfrole="lan" dstip=10.100.88.201 dstport=443 dstintf="port2"
dstintfrole="dmz" srcuuid="33be0c3e-fa84-51ed-ff7e-f46fdd152ee0" dstuuid="c0dc6c02-facd-
51ed-7c87-bb67ad88b588" srcthreatfeed="FSM_Threat_Feed" srccountry="Reserved"
dstcountry="Reserved" sessionid=2113273 proto=6 action="deny" policyid=29
policytype="policy" poluuid="19218144-facf-51ed-00f0-336ad3d22f0f" policyname="DENY-IP-
Threat-to-Webservers" service="HTTPS" trandisp="dnat" tranip=10.100.77.101 tranport=443
duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" crscore=30
craction=131072 crlevel="high" srchwvendor="Fortinet" devtype="Router" srcfamily="FortiGate"
osname="FortiOS" mastersrcmac="00:09:0f:00:03:01" srcmac="00:09:0f:00:03:01" srcserver=0

Configure Firewall Policy to Control Access for Devices in the IP

Threat Feed

On the 1st Floor ISFW FortiGate, configure firewall policies that block traffic coming from devices on the IP Threat Feed
(FSM_Threat_Feed). Also configure Internet access using restrictive web filters and application control for devices on
the IP Threat Feed.
1. On the 1st floor FortiGate, navigate to Policy & Objects > Firewall Policy.
2. Click Create New.
3. Configure settings for blocking traffic to Fabric Devices if the source is in the g-FSM_Threat_Feed list.

4. Click OK. Ensure this policy is above more general ACCEPT policies.
5. Navigate to Security Profiles > Application Control.
6. Create a strict-appctrl profile that blocks all categories except for a few categories which are monitored.

FortiSIEM 7.0.0 Agentless ZTNA with FortiSIEM UEBA and FortiGate 30

Fortinet Inc.
Verification

7. Navigate to Security Profiles > Web filter.

8. Create a strict-webfilter profile that blocks all FortiGuard categories except for News & Media.

FortiSIEM 7.0.0 Agentless ZTNA with FortiSIEM UEBA and FortiGate 31

Fortinet Inc.
Verification

9. Create a new firewall policy. Allow traffic if source is in the g-FSM_Threat_Feed list, but apply a strict web filter
and application control profile.

FortiSIEM 7.0.0 Agentless ZTNA with FortiSIEM UEBA and FortiGate 32

Fortinet Inc.
Verification

10. Click OK. Ensure this policy is above more general ACCEPT policies.

Verify Access is Controlled by the 1st Floor ISFW Firewall

From the client computer, try accessing FortiAnalyzer (10.100.88.2) on the browser. The page cannot be loaded.
Try to browse to a Job Search website. The page is blocked by FortiGuard web filtering.

FortiSIEM 7.0.0 Agentless ZTNA with FortiSIEM UEBA and FortiGate 33

Fortinet Inc.
Verification

Try to browse to a news website. The page is allowed.

From the 1st Floor FortiGate, view the Forward Traffic log from Log & Report, or retrieve the logs from the CLI.

FortiSIEM 7.0.0 Agentless ZTNA with FortiSIEM UEBA and FortiGate 34

Fortinet Inc.
Verification

# execute log filter device 0

# execute log filter field srcip 10.100.91.100
# execute log filter field srcthreatfeed g-FSM_Threat_Feed
# execute log filter field utmaction block
# execute log display
827: date=2023-05-25 time=19:50:07 eventtime=1685044207397973276 tz="+0000"
logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root"
srcip=10.100.91.100 srcname="TAMIGERBER" srcport=1962 srcintf="port3" srcintfrole="lan"
dstip=162.159.129.67 dstport=443 dstintf="port1" dstintfrole="wan" srcuuid="3fce57a6-fa91-
51ed-87dc-0bf9d8ae8bdb" dstuuid="c935b9d6-f94b-51ed-e21f-70dcd8bb79b3" srcthreatfeed="g-FSM_
Threat_Feed" srccountry="Reserved" dstcountry="United States" sessionid=955945 proto=6
action="close" policyid=16 policytype="policy" poluuid="8c5f6c5c-fb33-51ed-b1bb-
0ffd30cba894" policyname="restrictive-Internet-Access" service="HTTPS" trandisp="noop"
duration=3 sentbyte=1051 rcvdbyte=3242 sentpkt=12 rcvdpkt=9 appcat="unscanned"
utmaction="block" countweb=1 osname="Windows" srcswversion="8.1"
mastersrcmac="02:09:0f:00:09:01" srcmac="02:09:0f:00:09:01" srcserver=0 utmref=65309-3798

# execute log filter reset

# execute log filter device 0
# execute log filter field srcip 10.100.91.100
# exec log filter field dstip 10.100.88.2
# exec log display
1: date=2023-05-25 time=19:48:44 eventtime=1685044125006495125 tz="+0000" logid="0000000013"
type="traffic" subtype="forward" level="notice" vd="root" srcip=10.100.91.100
srcname="TAMIGERBER" srcport=1926 srcintf="port3" srcintfrole="lan" dstip=10.100.88.2
dstport=443 dstintf="port1" dstintfrole="wan" srcuuid="3fce57a6-fa91-51ed-87dc-0bf9d8ae8bdb"
dstuuid="c4a972da-fb31-51ed-fb05-6e32c1f14616" srcthreatfeed="g-FSM_Threat_Feed"
srccountry="Reserved" dstcountry="Reserved" sessionid=955622 proto=6 action="deny"
policyid=15 policytype="policy" poluuid="16755c78-fb32-51ed-bd1b-29207f60dd4c"
policyname="DENY-FabricDevices-Access" service="HTTPS" trandisp="noop" duration=0 sentbyte=0
rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel="high"
osname="Windows" srcswversion="8.1" mastersrcmac="02:09:0f:00:09:01"
srcmac="02:09:0f:00:09:01" srcserver=0

Configure local-in Policy to Block Access From Devices in the IP

Threat Feed

On both the Enterprise Core and 1st Floor ISFW FortiGates, configure local-in policies that block access from devices on
the IP Threat Feed (FSM_Threat_Feed). Packets arriving on the interface will be dropped and logged.
1. On the Enterprise Core FortiGate’s CLI, configure the following rule:
config firewall local-in-policy
edit 1
set intf "port3"
set srcaddr "FSM_Threat_Feed"
set dstaddr "all"
set service "ALL"
set schedule "always"
next
end

2. On the 1st Floor FortiGate’s CLI, configure the following rule:

FortiSIEM 7.0.0 Agentless ZTNA with FortiSIEM UEBA and FortiGate 35

Fortinet Inc.
 Verification

config firewall local-in-policy

edit 1
set intf "port1"
set srcaddr "g-FSM_Threat_Feed"
set dstaddr "all"
set service "ALL"
set schedule "always"
next
end

3. On both FortiGate, navigate to Log & Report > Log Settings.

4. Under Global Settings, set Log denied unicast traffic to enable.
5. Click Apply.

Verify Access to the FortiGates are blocked by the local-in Policy

From the client computer, try accessing the 1st Floor FortiGate (10.100.88.101) on the browser. The page cannot be
loaded.
Sniff for packets from the client:
# diag sniffer packet any 'host 10.100.91.100 and port 443' 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[host 10.100.91.100 and port 443]
2023-05-25 22:24:57.463149 port3 in 10.100.91.100.5013 -> 10.100.88.101.443: syn 1024673119
2023-05-25 22:24:57.714817 port3 in 10.100.91.100.5014 -> 10.100.88.101.443: syn 674054329
2023-05-25 22:25:00.464681 port3 in 10.100.91.100.5013 -> 10.100.88.101.443: syn 1024673119
2023-05-25 22:25:00.718445 port3 in 10.100.91.100.5014 -> 10.100.88.101.443: syn 674054329

View the Local Traffic log from Log & Report, or retrieve the logs from the CLI.

FortiSIEM 7.0.0 Agentless ZTNA with FortiSIEM UEBA and FortiGate 36

Fortinet Inc.
Verification

# exec log filter category 0

# exec log filter field srcip 10.100.91.100
# exec log filter field subtype local
# exec log display
1: date=2023-05-25 time=22:37:09 eventtime=1685054229545948615 tz="+0000" logid="0001000014"
type="traffic" subtype="local" level="notice" vd="root" srcip=10.100.91.100
srcname="TAMIGERBER" srcport=5248 srcintf="port3" srcintfrole="lan" dstip=10.100.88.101
dstport=443 dstintf="root" dstintfrole="undefined" srcuuid="3fce57a6-fa91-51ed-87dc-
0bf9d8ae8bdb" dstuuid="c935b9d6-f94b-51ed-e21f-70dcd8bb79b3" srcthreatfeed="g-FSM_Threat_
Feed" srccountry="Reserved" dstcountry="Reserved" sessionid=1006928 proto=6 action="deny"
policyid=1 policytype="local-in-policy" poluuid="8411e586-fb4a-51ed-28e4-27b1e150b98a"
service="HTTPS" trandisp="noop" app="Web Management(HTTPS)" duration=0 sentbyte=0 rcvdbyte=0
sentpkt=0 rcvdpkt=0 appcat="unscanned" crscore=5 craction=262144 crlevel="low"
osname="Windows" srcswversion="8.1" mastersrcmac="02:09:0f:00:09:01"
srcmac="02:09:0f:00:09:01" srcserver=0

FortiSIEM 7.0.0 Agentless ZTNA with FortiSIEM UEBA and FortiGate 37

Fortinet Inc.
 Appendix

Appendix

l Products Used
l Documentation Links

Products Used

The following product models and firmware were used in this guide.

Product Model Firmware

FortiGate FortiGate-VM FortiOS 7.2.4

FortiSIEM FortiSIEM-VM FortiSIEM 6.7.2

Documentation Links

FortiGate

FortiGate IP Threat Feed

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/891236

Local-in Policy

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/363127/local-in-policy

FortiSIEM

External System Configuration Guide (ESCG): https://docs.fortinet.com/document/fortisiem/7.0.0/external-systems-

configuration-guide/780675/fortisiem-external-systems-configuration-guide-online

FortiSIEM 7.0.0 Agentless ZTNA with FortiSIEM UEBA and FortiGate 38

Fortinet Inc.
 www.fortinet.com

Copyright© 2023 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.