Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Fortinet FortiAnalyzer

 

The JSA Fortinet FortiAnalyzer content extension adds custom properties, reports, and saved searches for Fortinet FortiAnalyzer

JSA Fortinet FortiAnalyzer Content Extension V1.3.2

The Action custom property was assigned a new ID. Delete any existing Action custom properties before you upgrade to V1.3.2.

The owner of the Policy custom property was set to admin.

JSA Fortinet FortiAnalyzer Content Extension V1.3.1

The following table shows the changed custom properties in JSA Fortinet FortiAnalyzer Content Extension V1.3.1.

Table 1: Changed Custom Properties in JSA Fortinet FortiAnalyzer Content Extension V1.3.1

Name

Optimized

Action

Yes

Duration_Seconds

Yes

URL

Yes

The following custom property was renamed.

Table 2: Renamed Custom Properties in JSA Fortinet FortiAnalyzer Content Extension V1.3.1

Name

Renamed to

Virus Name

Threat Name

(Back to top)The JSA Fortinet FortiAnalyzer content extension adds custom properties, reports, and saved searches for Fortinet FortiAnalyzer

JSA Fortinet FortiAnalyzer Content Extension V1.3.0

The following table describes the changes that are included in JSA Fortinet FortiAnalyzer Content Extension V1.3.0.

Table 3: Change List for the Fortinet FortiAnalyzer Content Extension V1.3.0

Type

Name

Description

Saved search

All Blocked Web Sites by URL Rating

Added aggregated function (min).

Saved search

Antivirus Actions per Violation Type

Enclosed field names in double quotation marks.

Saved search

Top Active Web Users

Converted to basic search.

Saved search

Top Allowed Applications v4 User Agency

Converted to basic search.

Saved search

Top Allowed Categories v4

Converted to basic search.

Saved search

Top Allowed Web Sites By URL Rating

Added aggregated function (min).

Saved search

Top Allowed Web Sites v4 User Agency

Converted to basic search.

Saved search

Top Applications

Enclosed field names in double quotation marks.

Saved search

Top Applications by Type

Added "Application Type" is not NULL to the where clause.

Saved search

Top Applications by Type v4 User Agency

Converted to basic search. Added Application Type != 'N/A' to filter.

Saved search

Top Blocked Categories v4

Converted to basic search.

Saved search

Top Blocked Web Sites

Converted to basic search.

Saved search

Top Infected Files for Most Common Destinations

Enclosed field names in double quotation marks.

Saved search

Top Services by Volume

Added aggregated function (sum).

Saved search

Top Sources by Volume

Added aggregated function (sum).

Saved search

Top Virus Sources per Device

Enclosed field names in double quotation marks.

Saved search

Top Virus Sources per Interface

Enclosed field names in double quotation marks.

Saved search

Top Web Destinations by Volume

Enclosed field names in double quotation mark. Added HH:mm:ss to the date format.

Saved search

Top Web Servers by Volume

Added aggregated function (sum).

Saved search

Web Volume by Time

Removed non-aggregated field. Removed destination IP, which is not used anyway. Added HH:mm:ss to the date format.

Report

Fortigate - Agency User Request - top Applications by Type

Replaced the Top Applications chart with the Top Applications by Type chart.

Report

Fortigate - Operational Report - Initiated from Internet

Removed this report.

Custom Property

Fortinet Action

Renamed Action.

Custom Property

Fortinate App Control

Renamed Application.

Custom Property

Fortinet App Control

Renamed Application Category.

Custom Property

Application Control Application

Removed this custom property.

Custom Property

Fortinet Application Type

Renamed Application Type and updated the regex to:

[\t,]{1}(?:apptype|app_type)=("{0,1})([\w\/\-.]+)\1

Custom Property

Fortinet BytesReceived

Renamed BytesReceived.

Custom Property

Fortinet BytesSent

Renamed BytesSent.

Custom Property

Fortinet Category Description

Renamed Category Description.

Custom Property

Fortinet Destination Interface

Renamed Destination Interface and updated the regex to:

(?:dst_int|dstintf)=("{0,1})([\w\-\/]+)\1

Custom Property

Fortinet Device Name

Renamed Device Name.

Custom Property

Fortinet Hostname

Removed this custom property.

Custom Property

Hostname FortiGate

Removed this custom property.

Custom Property

Fortinet Policy ID

Removed this custom property.

Custom Property

Fortinet Service

Renamed Service and updated the regex to:

service="([\w\-\/()+& ]+)" AND service=([\w\-\/()+&]+)[\t ,]{1}

Custom Property

Fortinet Session Number

Renamed Session Number and updated the regex to:

(SN|sessionid)=(\d+)

Custom Property

Fortinet Site

Renamed Hostname.

Custom Property

Fortinet Source Interface

Renamed Source Interface and updated the regex to:

(?:src_int|srcintf)=("{0,1})([\w\-\/]+)\1

Custom Property

Fortinet Status

Renamed Status and updated the regex to:

status=("{0,1})([\w\_\-]+)\1

Custom Property

Fortinet Subtype

Renamed Subtype and updated the regex to:

subtype=("{0,1})([\w\-\_]+)\1

Custom Property

Fortinet Type

Renamed Type and updated the regex to:

([\t ,])type=("{0,1})([\w\-]+)\2

Custom Property

Fortinet URL

Renamed URL

Custom Property

VirusName

Updated the regex to:

([\t ,])virus=(["]{0,1})(.*?)\2\1

(Back to top)The JSA Fortinet FortiAnalyzer content extension adds custom properties, reports, and saved searches for Fortinet FortiAnalyzer

JSA Fortinet FortiAnalyzer Content Extension V1.2.0

The following table describes the changes that are included in JSA Fortinet FortiAnalyzer Content Extension V1.2.0.

Table 4: Change List for the Fortinet FortiAnalyzer Content Extension V1.3.0

Type

Name

Description

Saved search

FortiGate - Top Blocked Applications

Resolves an issue in the saved search to replace LOGSOURCETYPENAME(logsourceid) with LOGSOURCETYPENAME(devicetype) in the search parameters to ensure that all Fortigate devices return results as expected.

Saved search

FortiGate - Antivirus Actions per Violation Type

Resolves an issue in the saved search to replace LOGSOURCETYPENAME(logsourceid) with LOGSOURCETYPENAME(devicetype) in the search parameters to ensure that all Fortigate devices return results as expected.

Saved search

FortiGate - Memory Usage by Time Period

Resolves an issue in the saved search to replace LOGSOURCETYPENAME(logsourceid) with LOGSOURCETYPENAME(devicetype) in the search parameters to ensure that all Fortigate devices return results as expected.

Saved search

FortiGate - Top Active Web Users

Resolves an issue in the saved search to replace LOGSOURCETYPENAME(logsourceid) with LOGSOURCETYPENAME(devicetype) in the search parameters to ensure that all Fortigate devices return results as expected.

Saved search

FortiGate - Active Firewall Sessions by Time Period

Resolves an issue in the saved search to replace LOGSOURCETYPENAME(logsourceid) with LOGSOURCETYPENAME(devicetype) in the search parameters to ensure that all Fortigate devices return results as expected.

Saved search

FortiGate - Top Applications by Type

Resolves an issue in the saved search to replace LOGSOURCETYPENAME(logsourceid) with LOGSOURCETYPENAME(devicetype) in the search parameters to ensure that all Fortigate devices return results as expected.

Saved search

FortiGate - Top Destinations by Volume

Resolves an issue in the saved search to replace LOGSOURCETYPENAME(logsourceid) with LOGSOURCETYPENAME(devicetype) in the search parameters to ensure that all Fortigate devices return results as expected.

Saved search

FortiGate - Top Infected Files for Most Common Destinations

Resolves an issue in the saved search to replace LOGSOURCETYPENAME(logsourceid) with LOGSOURCETYPENAME(devicetype) in the search parameters to ensure that all Fortigate devices return results as expected.

Saved search

FortiGate - Top Infected Files for Most Common Sources

Resolves an issue in the saved search to replace LOGSOURCETYPENAME(logsourceid) with LOGSOURCETYPENAME(devicetype) in the search parameters to ensure that all Fortigate devices return results as expected.

Saved search

FortiGate - Top Requested Web Pages

Resolves an issue in the saved search to replace LOGSOURCETYPENAME(logsourceid) with LOGSOURCETYPENAME(devicetype) in the search parameters to ensure that all Fortigate devices return results as expected.

Saved search

FortiGate - Top Services by Volume

Resolves an issue in the saved search to replace LOGSOURCETYPENAME(logsourceid) with LOGSOURCETYPENAME(devicetype) in the search parameters to ensure that all Fortigate devices return results as expected.

Saved search

FortiGate - Top Services by Volume per Traffic Destination

Resolves an issue in the saved search to replace LOGSOURCETYPENAME(logsourceid) with LOGSOURCETYPENAME(devicetype) in the search parameters to ensure that all Fortigate devices return results as expected.

Saved search

FortiGate - Top Sources by Volume

Resolves an issue in the saved search to replace LOGSOURCETYPENAME(logsourceid) with LOGSOURCETYPENAME(devicetype) in the search parameters to ensure that all Fortigate devices return results as expected.

Saved search

FortiGate - Top Users by Application

Resolves an issue in the saved search to replace LOGSOURCETYPENAME(logsourceid) with LOGSOURCETYPENAME(devicetype) in the search parameters to ensure that all Fortigate devices return results as expected.

Saved search

FortiGate - Top Viruses for Common Sources

Resolves an issue in the saved search to replace LOGSOURCETYPENAME(logsourceid) with LOGSOURCETYPENAME(devicetype) in the search parameters to ensure that all Fortigate devices return results as expected.

Saved search

FortiGate - Top Viruses for Most Common Destinations

Resolves an issue in the saved search to replace LOGSOURCETYPENAME(logsourceid) with LOGSOURCETYPENAME(devicetype) in the search parameters to ensure that all Fortigate devices return results as expected.

Saved search

FortiGate - Top Web Servers by Volume

Resolves an issue in the saved search to replace LOGSOURCETYPENAME(logsourceid) with LOGSOURCETYPENAME(devicetype) in the search parameters to ensure that all Fortigate devices return results as expected.

Saved search

FortiGate - Traffic Volume by Destination Interface

Resolves an issue in the saved search to replace LOGSOURCETYPENAME(logsourceid) with LOGSOURCETYPENAME(devicetype) in the search parameters to ensure that all Fortigate devices return results as expected.

Saved search

FortiGate - CPU Usage by Time Period

Resolves an issue in the saved search to replace LOGSOURCETYPENAME(logsourceid) with LOGSOURCETYPENAME(devicetype) in the search parameters to ensure that all Fortigate devices return results as expected.

Saved search

FortiGate - Top Web Sites for Most Active Users

Resolves an issue in the saved search to replace LOGSOURCETYPENAME(logsourceid) with LOGSOURCETYPENAME(devicetype) in the search parameters to ensure that all Fortigate devices return results as expected.

Saved Search

FortiGate - All Blocked Web Sites by URL Rating

Resolves an issue where invalid AQL syntax prevented the search from completing.

Saved Search

FortiGate - top Allowed Web Sites By URL Rating

Resolves an issue where invalid AQL syntax prevented the search from completing.

Custom Property

hostname

Updated the regex to:

hostname=["]{0,1}([A-Za-z0-9\-]*\.(.*?))["]{0,1}[\t ]{1}

Custom Property

Application Control Application

Updated the regex to:

app(\=["]{0,1}(.*?)["]{0,1}[ ,])

Custom Property

Action

Updated the regex to:

((action=|status=)["]{0,1}(.*?))["]{0,1}[ \t,] /* [ \t,]

(Back to top)The JSA Fortinet FortiAnalyzer content extension adds custom properties, reports, and saved searches for Fortinet FortiAnalyzer

JSA Fortinet FortiAnalyzer Content Extension V1.1.0

The following saved searches were added in JSA:

  • Fortigate - Active Firewall Sessions by Time Period

  • Fortigate - All Blocked Web Sites by URL Rating

  • Fortigate - Antivirus Actions per Violation Type

  • Fortigate - CPU Usage by Time Period

  • Fortigate - Memory Usage by Time Period

  • Fortigate - Top Active Web Users

  • Fortigate - Top Allowed Applications v4 User Agency

  • Fortigate - Top Allowed Categories v4

  • Fortigate - Top Allowed Web Sites By URL Rating

  • Fortigate - Top Allowed Web Sites v4 User Agency

  • Fortigate - Top Applications

  • Fortigate - Top Applications by Type

  • Fortigate - Top Applications by Type v4 User Agency

  • Fortigate - Top Blocked Applications

  • Fortigate - Top Blocked Categories v4

  • Fortigate - Top Blocked Web Sites

  • Fortigate - Top Destinations by Volume

  • Fortigate - Top Infected Files for Most Common Destinations

  • Fortigate - Top Infected Files for Most Common Sources

  • Fortigate - Top Requested Web Pages

  • Fortigate - Top Services by Volume

  • Fortigate - Top Services by Volume per Traffic Destination

  • Fortigate - Top Sources by Volume

  • Fortigate - Top Users by Application

  • Fortigate - Top Virus Sources

  • Fortigate - Top Virus Sources per Interface

  • Fortigate - Top Viruses for Common Sources

  • Fortigate - Top Viruses for Most Common Destinations

  • Fortigate - Top Web Destinations by Volume

  • Fortigate - Top Web Servers by Volume

  • Fortigate - Top Web Sites for Most Active Users

  • Fortigate - Traffic Volume by Destination Interface

  • Fortigate - Web Volume by Time

The following table shows the custom properties that were added in JSA:

Table 5:  

Custom Property

Regex

Active Sessions

totalsession=([0-9]+)

Application Control Application

app(\=(.*?)\ )

CPU Usage

cpu=([0-9]+)

Duration_Seconds

duration=(\d+)

Filename

filename=([^\s]+)

Fortinet Action

(action=| status=)(.*?)\

Fortinet App Control

app=(\"(.*?)\")

Fortinet Application Category

(appcat="| app_cat=")(.*?)\"

Fortinet Application Type

(apptype="| app_type=")(.*?)\"

Fortinet Bytes Received

( rcvd=| rcvdbyte=)(.*?)\

Fortinet Bytes Sent

( sent=| sentbyte=)(.*?)\

Fortinet Category Description

(catdesc="|cat_desc=")(.*?)\"

Fortinet Destination Interface

( dst_int="| dstintf=")(\w*)\"

Fortinet Device Name

devname=((\w(\-)?)*)

Fortinet Hostname

hostname=(\"(.*?)\")

Fortinet Policy ID

policyid(\=(.*?)\ )

Fortinet Service

service(\=(.*?)\ )

Fortinet Session Number

(SN=|sessionid=)(.*?)\

Fortinet Site

hostname=(\”[A-Za-z\-]*\.(.*?)\")

Fortinet Source Interface

(src_int="|srcintf=")(\w*)\"

Fortinet Status

status(\=(.*?)\ )

Fortinet Subtype

subtype(\=(.*?)\ )

Fortinet Type

type(\=(.*?)\ )

Fortinet URL

url=(\"(.*?)\")

Hostname FortiGate

hostname=(\"(.*?)\")

Memory Usage

mem=([0-9]+)

Policy

policyid=(\d+)

The following reports were added in JSA:

  • Fortigate - Agency User Request - Allowed Web Sites

  • Fortigate - Agency User Request - Blocked Web Sites

  • Fortigate - Agency User Request - Category

  • Fortigate - Agency User Request - Top Allowed Applications

  • Fortigate - Agency User Request - Top Applications by Type

  • Fortigate - Agency User Request - Web Volume

  • Fortigate - Monthly - Personal Relationships

  • Fortigate - Monthly Status - Hardware Stats

  • Fortigate - Monthly Status - Traffic Volume

  • Fortigate - Monthly Status - Web Filter

  • Fortigate - Operational Report - Application Control

  • Fortigate - Operational Report - Initiated from Inside - Sites

  • Fortigate - Operational Report - Initiated from Inside - Sources and Dests

  • Fortigate - Operational Report - Initiated from Internet

  • Fortigate - Operational Report - Malicious Web Sites

  • Fortigate - Operational Report - Top Virus Destinations

  • Fortigate - Operational Report - Top Virus Sources

(Back to top)The JSA Fortinet FortiAnalyzer content extension adds custom properties, reports, and saved searches for Fortinet FortiAnalyzer