Fortinet Firewall Dashboard

by Josef Weiss
December 5, 2013

This dashboard is a series of components that provide basic analysis of Fortigate devices.

The top three components offer trending data in regard to allowed connections, blocked connections, and sessions that have timed out. This easy to read graph can alert the analyst to potential connection-based anomalies.

The Data Events component displays the total number of TCP, UDP, and ICMP allowed/blocked connections over the last 24 hours.

Performance stats, if enabled as forwarded events in the Fortigate configuration, are displayed in the center component so the analyst can review performance details such as, memory, CPU and session information.

The remaining components are indicators that alert when several events have occurred. Critical Events, such as compromised keys or logs overwritten, are presented in the Critical Events component. VPN specific events such as tunnel failures or tunnels being deleted are displayed in the VPN event indicator.

Non-critical service detection events based on the following plugins are alerted on the Service Detection Component:

  • 17367 Fortinet Fortigate Web Console Management Detection
  • 800548 Fortinet Firewall Detected
  • 80510 Fortinet IPS Detected
  • 2916 Fortinet VPN Server Detection (over PPTP)
  • 3599 Fortigate VPN Server Detection
  • 38155 and 5007 Fortify 360 Web Interface Detection

While nothing in this component may present a significant vulnerability, it provides attackers with information on your network and running services. Some interfaces may contain sensitive information.

Make sure the proper access controls are in place.

The dashboard and its components are available in the SecurityCenter 4.7 Dashboard app feed, an app store of dashboards, reports, and assets. The dashboard requirements are:

  • SecurityCenter 4.7.1
  • Nessus 5.2.4
  • LCE 4.2.1
  • PVS 4.0.0