Sumo Logic + Fortigate + Application Usage

Finding usage of specific application data through your Fortigate firewall is easily done using Sumo Logic and a dashboard or scheduled search result.

Assumptions for this sample dashboard

  • There is a partition named security_logs for indexing
  • I have a class named fw_security as my category
  • I do not want to see any results under 50 MiB of usage
  • Inbound and outbound are together and hints on how to limit directionality are below
  • port13 is my WAN port and you will need to adjust as needed if you want to look at specific traffic direction

Using some new parsing functions as everything in a Fortigate log is key<->value layout which allowed me to do in 2 lines what would have taken 5.

Examples of the if function used in the search query specifically to remap unknown services to a known value.

I also put in some comments (anything after // is a comment) to describe what I am doing or how to limit the results to incoming or outgoing interfaces.

_index=security_logs _sourceCategory=fw_security ("type=\"traffic\"" AND "utmaction=\"allow\"")
  | keyvalue regex "=(\d+)" keys "srcport", "dstport", "sentbyte", "rcvdbyte"
  | keyvalue regex "=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" keys "srcip", "dstip"
  | parse "service=\"*\" " as service nodrop
  | parse "app=\"*\" " as application nodrop
  | parse "appcat=\"*\" " as app_category nodrop
  | parse "srcintf=\"*\" " as src_intface
  | parse "dstintf=\"*\" " as dest_intface
  | if (service="", "unknown", service) as service // uh ho - service unknown
  | if (service="udp/54", "DNS-54", service) as service // RBL lookups on UDP port 54
  | if (service="tcp/902", "vCenter", service) as service // vCenter remote console
  | if (service="udp/902", "vCenter", service) as service // vCenter remote console
  | if (service="tcp/5989", "vCenter", service) as service // vCenter remote to ESXi
  | if (service="vCenter-Web-9443", "vCenter", service) as service // vCenter on port 9443
  | if (application="", "unknown", application) as application // uh ho - application unknown
  | if (app_category="", "unknown", app_category) as app_category // uh ho - application category unknown
  // | where src_intface="port13" // enable if you only want to see inbound traffic
  // | where dest_intface="port13" // enable if you only want to see outbound traffic
  | sentbyte+rcvdbyte as totalbytes
  | sum(totalbytes) as total_bytes by service, application, app_category
  | where total_bytes > 51200
  | order by total_bytes, service
  | limit 20

Which results in the following output: