Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fortinet Fortigate NetworkSession ASIM parser bugs on AdditinalExtensions #11843

Open
bacatta opened this issue Feb 20, 2025 · 1 comment
Open

Fortinet Fortigate NetworkSession ASIM parser bugs on AdditinalExtensions #11843

bacatta opened this issue Feb 20, 2025 · 1 comment
Assignees
@v-sudkharat @v-visodadasi
Labels
ASIM

Comments

@bacatta
Copy link
Contributor

bacatta commented Feb 20, 2025

Describe the bug
Not getting additional fields value like "SrcGeoCountry" and others, for Fortigate source.

To Reproduce
Run "_Im_NetworkSession_FortinetFortiGateV04" function on some "fortigate traffic" log in CommonSecurityLog.

Expected behavior
Fields of NetworkSession populated when the values are present in CommonSecurityLog/AdditionalExtensions.

Additional context
From the vendor documentation: https://docs.fortinet.com/document/fortigate/7.6.2/fortios-log-message-reference/949981
And after some analysis of this code:

    | parse-kv AdditionalExtensions as (
            FortinetFortiGatestart:datetime,
            FortinetFortiGatesrcintfrole:string,
            FortinetFortiGatedstintfrole:string,
            FortinetFortiGateexternalID:string,
            FortinetFortiGatepolicyid:int,
            FortinetFortiGatedstcountry:string,
            FortinetFortiGatesrccountry:string,
            FortinetFortiGatecrscore:string,
            FortinetFortiGateduration:int,
            FortinetFortiGatesentpkt:long,
            FortinetFortiGatercvdpkt:long
        ) with (pair_delimiter=';', kv_delimiter='=')
    | project-rename
        EventStartTime          = FortinetFortiGatestart,
        SrcZone                 = FortinetFortiGatesrcintfrole,
        DstZone                 = FortinetFortiGatedstintfrole,
        NetworkSessionId        = FortinetFortiGateexternalID,
        NetworkRuleNumber       = FortinetFortiGatepolicyid,
        NetworkDuration         = FortinetFortiGateduration,
        DstGeoCountry           = FortinetFortiGatedstcountry,
        SrcGeoCountry           = FortinetFortiGatesrccountry,
        ThreatOriginalRiskLevel = FortinetFortiGatecrscore,
        SrcPackets              = FortinetFortiGatesentpkt,
        DstPackets              = FortinetFortiGatercvdpkt

I think there is 2 bugs. The delimiter should be ' ' instead of ';'. And the prefixes should be "FTNTFGT" instead of 'FortinetFortiGate'.
@v-visodadasi v-visodadasi added the Parser Parser specialty review needed label Feb 21, 2025
@v-visodadasi
Copy link
Contributor

Hi @bacatta , Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks!

@v-sudkharat v-sudkharat added ASIM and removed Parser Parser specialty review needed labels Feb 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@v-sudkharat v-sudkharat

@v-visodadasi v-visodadasi

Labels
ASIM
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bacatta @v-sudkharat @v-visodadasi