Help
FortiNAC-F
FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
cmaheu
Staff
Staff

Created on ‎12-14-2023 08:59 PM

Article Id 289369

Troubleshooting Tip: Troubleshooting security events

Description

This article describes how to verify if the appliance is receiving and processing syslog in integrations where FortiNAC receives security events from a firewall.

 

For configuration example, see Configure Security Incidents in the Document Library.
Scope FortiNAC-F/FortiNAC-OS 7.2 or greater, FortiNAC/CentOS 9.1 or greater
Solution
  1.  Review firewall configuration to verify Syslog messages are configured properly.  For integration details, see the applicable reference manual in the Document Library.
  2. Using tcpdump, confirm Syslog messages are reaching the appliance. Save output to a text file.

Type the following in the appliance CLI:

 

CentOS:


tcpdump -vnni any port 514 | grep -C5 <Firewall IP Address in Inventory>

 

FortiNAC-OS:


execute tcpdump -v -i port1 | grep -C5 <Firewall IP Address in Inventory>

 

  1. Generate a security event then  type ctrl-C to stop tcpdump.

 

Syslog messages are not received.

Confirm:

 

config system interface
show

 

Example:


config system interface
        (interface) # show
            config system interface
                edit port1
                    set ip 10.12.242.36/24
                    set allowaccess https ping ssh http syslog https-adminui nac-ipc radius
                next

 

 

Syslog messages are received but FortiNAC is not generating Security Events.

Enable debug:

CentOS:


nacdebug –name SecurityEventManager true
nacdebug –name SyslogServer true


FortiNAC-OS:


diagnose debug plugin enable SecurityEventManager
diagnose debug plugin enable SyslogServer

 

  • Generate a security event.
  • Disable debug:

 

CentOS:


nacdebug –name SecurityEventManager false
nacdebug –name SyslogServer false


FortiNAC-OS:


diagnose debug plugin disable SecurityEventManager
diagnose debug plugin disable SyslogServer

 

Contact Support for further assistance. Open a support ticket and provide the following:

 

159
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.