Created on 10-10-2016 12:35 AM Edited on 05-26-2022 09:08 AM By Anonymous
Description
When AO parses Watchguard events the source and destination ports might be incorrect. This is likely due to the interface name having a space in it, which causes the parser to count an additional field/attribute in the event and shift the attribute assignment.
Here is a sample event that parses incorrectly due to this issue:
<140>Oct 10 17:20:57 Datasphere (2012-10-10T22:20:57) firewall: Deny 1-Digital VLAN 0-External 52 tcp 20 63 10.1.1.1 63.1.1.1 34905 22 offset 8 S 3895962691 win 2105 (Everything - Deny-00)
Here is that same event with the space in the interface name removed. This event parses correctly.
<140>Oct 10 17:20:57 Datasphere (2012-10-10T22:20:57) firewall: Deny 1-Digital VLAN0-External 52 tcp 20 63 10.1.1.1 63.1.1.1 34905 22 offset 8 S 3895962691 win 2105 (Everything - Deny-00)
The options around this are:
1) modify your interface name to remove the space
2) modify the AO Watchguard parser to accommodate the space in the interface name
All versions.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.