Type in traffic.yml for Fortigate firewall

[reswob10]

On line 46 of the traffic.yml for the Fortinet Fortigate firewall, the field name being searched for is fortinet.firewall.tranip

I'm pretty sure that should be fortinet.firewall.trandip

[reswob10]

I believe the same issue is on line 63. trandport instead of tranport

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[efd6]

From https://docs.fortinet.com/document/fortigate/6.2.3/fortios-log-message-reference/698060/8-log-id-traffic-wanopt tranip is "NAT destination IP". This corresponds to what the current code is doing.

https://github.com/elastic/integrations/blob/6447c7f4633d3fa34a3dd787c1f1603132f3cfd4/packages/fortinet_fortigate/data_stream/log/elasticsearch/ingest_pipeline/traffic.yml#L45-L55

Same for tranport, "NAT Destination Port".

https://github.com/elastic/integrations/blob/6447c7f4633d3fa34a3dd787c1f1603132f3cfd4/packages/fortinet_fortigate/data_stream/log/elasticsearch/ingest_pipeline/traffic.yml#L62-L67

[reswob10]

The log samples I'm working with have trandip and trandport

So... IDK?

On Sun, Jan 29, 2023, 4:56 PM Dan Kortschak @.***> wrote:

From https://docs.fortinet.com/document/fortigate/6.2.3/fortios-log-message-reference/698060/8-log-id-traffic-wanopt tranip is "NAT destination IP". This corresponds to what the current code is doing.

https://github.com/elastic/integrations/blob/6447c7f4633d3fa34a3dd787c1f1603132f3cfd4/packages/fortinet_fortigate/data_stream/log/elasticsearch/ingest_pipeline/traffic.yml#L45-L55

Same for tranport, "NAT Destination Port".

https://github.com/elastic/integrations/blob/6447c7f4633d3fa34a3dd787c1f1603132f3cfd4/packages/fortinet_fortigate/data_stream/log/elasticsearch/ingest_pipeline/traffic.yml#L62-L67

— Reply to this email directly, view it on GitHub https://github.com/elastic/integrations/issues/5121#issuecomment-1407779932, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAI2XZCTR37EXAB2H36LNGDWU3RPNANCNFSM6AAAAAAUH6HJKM . You are receiving this because you authored the thread.Message ID: @.***>

[taylor-swanson]

@reswob10, I took a look at Fortinet's documentation and I find no mention of trandip or trandport in either 7.x or 6.x.

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/74b11786-c11e-11ee-8c42-fa163e15d75b/FortiOS_6.4.15_Log_Reference.pdf https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/94f9e5fe-0e30-11ef-8c42-fa163e15d75b/FortiOS_7.4.4_Log_Reference.pdf

There are plenty of references for tranip and tranport, which are for destination nat IP and port, respectively. The only thing I see close to what you mentioned is trandisp, which is NAT translation type

What version of Fortigate/FortiOS are you running and would you be able to share any sample logs?