FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
Andy_G
Staff
Staff
Article Id 189416

Description
This article describes how a network topology is discovered and visualized.


Scope
FortiSEIM

Solution
FortiSIEM discovers network topology at two levels: Layer 3 and Layer 2. Layer 3 connectivity involves IP addresses while Layer 2 involves connectivity. 
The layer 3 topology is discovered by obtaining network interface IP address and masks for all devices via SNMP (RFC 1213). The local networks e.g. loopback (127.0.0.0/8), link local addresses (169.254.0.0/16) are filtered out and the distinct networks segments are identified.

A layer 3 topology is visualized on the FortiSIEM Topology map by drawing:

  • Network segment and devices as node 
  • Line segments from the network segment nodes to every device node that have an interface with IP address in that network segment.

The devices are represented by vendor specific icons and the network nodes are represented by a line and labeled as “Net-<net>/<maskbits>”. For visual clarity:

  • Only the network devices are drawn by default. A network device is one that belongs to Network Device tab in CMDB
  • Only those networks are drawn that have devices discovered by AccelOps (and are in CMDB). There is a “” button next to those networks. Clicking on the “” button displays those hosts in the topology graph. Clicking on the “-“ button hides those hosts. 

When an enterprise network has Layer 2 switches and hubs, a layer 3 topology misses the connectivity between servers to layer 2 switches and the trunk port connectivity between layer 2/3 switches. Layer 2 discovery is difficult and more importantly, vendor dependent as vendors have different implementations of the Spanning Tree Protocol (STP).

For Cisco switches, the layer 2 topology is obtained via SNMP (IEEE spanning tree MIB as found in RFC1493 and CISCO-VTP-MIB) as follows:

For every switch,

1. Identify all active VLANs on that switch
2. For every active VLAN:
a) Get MAC forwarding table
b) Get STP table to identify trunk ports and directly connected trunk port on adjacent switches

The MAC forwarding table obtained in Step 2a provides the server to switch port connectivity (after eliminating the trunk port entries obtained in step 2b). The trunk port connectivity between switch ports is directly obtained from Step 2b.

The Layer 2 topology is visualized on the FortiSIEM topology diagram by choosing the layer 2 mode. Then by clicking the “+” next to a device, the VLANs on that switch are displayed. Also, the trunk port connectivity is shown in an orange color and a tool tip provides the VLANs over this trunk link.

Then by clicking on the “+” of a VLAN, the hosts belonging to that VLAN and also the switch ports they connect to are displayed. The host to switch port connectivity can also be seen in a tabular form by first clicking the switch and then clicking the “Port Mapping Table”.

Here is a example of a topology diagram on FortiSIEM: 

topolgy.png

 



Related Articles

Technical Note: [Accelops KB] Product Functionality: Multiple Topology Views

Contributors