Help
FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
Andy_G
Staff
Staff

Created on ‎10-10-2016 12:35 AM Edited on ‎05-26-2022 09:08 AM By Anonymous

Article Id 190501

Technical Note: [Accelops KB] Problem - Watchguard events seem to parse out the source and dest ports incorrectly

Description

Summary of Topic

When AO parses Watchguard events the source and destination ports might be incorrect.  This is likely due to the interface name having a space in it, which causes the parser to count an additional field/attribute in the event and shift the attribute assignment.

 

Here is a sample event that parses incorrectly due to this issue:

<140>Oct
  10 17:20:57 Datasphere (2012-10-10T22:20:57) firewall: Deny 1-Digital
    VLAN 0-External 52 tcp 20 63 10.1.1.1 63.1.1.1 34905 22 offset 8 S
    3895962691 win 2105 (Everything - Deny-00)

Here is that same event with the space in the interface name removed.  This event parses correctly.

<140>Oct 10 17:20:57
  Datasphere (2012-10-10T22:20:57) firewall: Deny 1-Digital
    VLAN0-External 52 tcp 20 63 10.1.1.1 63.1.1.1 34905 22 offset 8 S
    3895962691 win 2105 (Everything - Deny-00)

Additional Information

The options around this are:

1) modify your interface name to remove the space

2) modify the AO Watchguard parser to accommodate the space in the interface name

Version Application

All versions.

 

 

Labels:
314
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.