-
Notifications
You must be signed in to change notification settings - Fork 203
/
0390-fortigate_rules.xml
375 lines (321 loc) · 22.7 KB
/
0390-fortigate_rules.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
<!--
- Fortigate rules
- Author: Tom Hancock <t.m.h.a.ncoc.k+wazuh@gmail.com>
- Updated by Wazuh, Inc.
- Copyright (C) 2015-2019, Wazuh Inc.
- This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
-->
<!--
ID: 81600 - 80799
-->
<group name="fortigate,syslog,">
<rule id="81600" level="0">
<decoded_as>fortigate-firewall-v3</decoded_as>
<description>Fortigate v3 messages grouped.</description>
</rule>
<rule id="81601" level="0">
<decoded_as>fortigate-firewall-v4</decoded_as>
<description>Fortigate v4 messages grouped.</description>
</rule>
<rule id="81602" level="0">
<decoded_as>fortigate-firewall-v5</decoded_as>
<description>Fortigate v5 messages grouped.</description>
</rule>
<rule id="81603" level="0">
<if_sid>81600,81601,81602</if_sid>
<description>Fortigate messages grouped.</description>
</rule>
<!--
date=2016-06-15 time=10:42:31 devname=Device_Name devid=FGTXXXX9999999999 logid=9999999999 type=event subtype=vpn level=error vd="root" logdesc="IPsec DPD failed" msg="IPsec DPD failure" action=dpd remip=1.2.3.4 locip=4.3.2.1 remport=500 locport=500 outintf="wan1" cookies="fsdagfdfgfdgfdg/qwerweafasfefsd" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="BW" status=dpd_failure
-->
<rule id="81604" level="4">
<if_sid>81603</if_sid>
<status>dpd_failure</status>
<description>Fortigate: IP Sec DPD Failed.</description>
<group>firewall_drop,pci_dss_1.4,gdpr_IV_35.7.d,hipaa_164.312.a.1,nist_800_53_SC.7,</group>
</rule>
<rule id="81605" level="7" frequency="18" timeframe="45" ignore="240">
<if_matched_sid>81604</if_matched_sid>
<same_source_ip />
<description>Fortigate: Multiple Firewall drop events from same source.</description>
<group>multiple_drops,pci_dss_1.4,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.a.1,hipaa_164.312.b,nist_800_53_SC.7,nist_800_53_AU.6,</group>
</rule>
<!--
date=2016-06-17 time=02:37:41 devname=Mobipay_Firewall devid=FGTXXXX9999999999 logid=0100032002 type=event subtype=system level=alert vd="root" logdesc="Admin login failed" sn=0 user="root" ui=ssh(222.186.130.227) action=login status=failed reason="name_invalid" msg="Administrator root login failed from ssh(222.186.130.227) because of invalid user name"
-->
<rule id="81606" level="4">
<if_sid>81603</if_sid>
<action>login</action>
<status>failed</status>
<description>Fortigate: Login failed.</description>
<group>authentication_failed,invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group>
</rule>
<rule id="81607" level="7" frequency="18" timeframe="45" ignore="240">
<if_matched_sid>81606</if_matched_sid>
<same_source_ip />
<options>alert_by_email</options>
<description>Fortigate: Multiple failed login events from same source.</description>
<group>authentication_failures,pci_dss_10.6.1,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AC.7,</group>
</rule>
<!--
date=2016-06-14 time=10:47:23 devname=Device_Name devid=FGTXXXX9999999999 logid=9999999999 type=event subtype=system level=alert vd="root" logdesc="Configuration changed" user="admin" ui=https(105.232.255.15) msg="Configuration is changed in the admin session"
-->
<rule id="81608" level="7">
<if_sid>81603</if_sid>
<match>Configuration is changed in the admin session</match>
<options>alert_by_email</options>
<description>Fortigate: Configuration changed.</description>
<group>gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
</rule>
<rule id="81609" level="8" frequency="18" timeframe="45" ignore="240">
<if_matched_sid>81608</if_matched_sid>
<same_source_ip />
<description>Fortigate: Multiple changed configuration events from same source.</description>
<group>gdpr_IV_35.7.d,</group>
</rule>
<!--
date=2016-06-15 time=09:41:35 devname=Device_Name devid=FGTXXXX9999999999 logid=9999999999 type=utm subtype=ips eventtype=signature level=alert vd="root" severity=info srcip=192.168.10.8 dstip=157.55.235.162 srcintf="internal2" dstintf="wan2" policyid=2 sessionid=1473454 action=dropped proto=6 service=tcp/20480 attack="HTTP.Unknown.Tunnelling" srcport=62216 dstport=80 direction=outgoing attackid=107347981 profile="default" ref="http://www.fortinet.com/ids/VID107347981" incidentserialno=1999871775 msg="http_decoder: HTTP.Unknown.Tunnelling,"
-->
<rule id="81610" level="4">
<if_sid>81603</if_sid>
<match>http_decoder: HTTP.Unknown.Tunnelling</match>
<description>Fortigate: Default tunneling setting. Could be IPS.</description>
<group>pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
</rule>
<rule id="81611" level="7" frequency="18" timeframe="45" ignore="240">
<if_matched_sid>81610</if_matched_sid>
<same_source_ip />
<options>alert_by_email</options>
<description>Fortigate: Multiple default tunneling setting events from same source.</description>
<group>pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
</rule>
<!--
date=2016-06-16 time=09:03:03 devname=Device_Name devid=FGTXXXX9999999999 logid=9999999999 type=event subtype=system level=information vd="root" logdesc="Object attribute configured" user="admin" ui="GUI(4.3.5.8)" action=Edit cfgtid=2162752 cfgpath="firewall.service.custom" cfgobj="Custom-TCP_10443" cfgattr="tcp-portrange[->10443]udp-portrange[->]sctp-portrange[->]" msg="Edit firewall.service.custom Custom-TCP_10443"
-->
<rule id="81612" level="3">
<if_sid>81603</if_sid>
<action>Edit</action>
<description>Fortigate: Firewall configuration changes</description>
<group>pci_dss_10.6.1,gpg13_4.13,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
</rule>
<rule id="81613" level="4" frequency="18" timeframe="45" ignore="240">
<if_matched_sid>81612</if_matched_sid>
<same_source_ip />
<description>Fortigate: Multiple Firewall edit events from same source.</description>
<group>pci_dss_10.6.1,gpg13_4.13,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
</rule>
<!--
date=2016-06-16 time=09:03:03 devname=Device_Name devid=FGTXXXX9999999999 logid=9999999999 type=event subtype=system level=information vd="root" logdesc="Object attribute configured" user="admin" ui="GUI(4.3.5.8)" action=Add cfgtid=2162750 cfgpath="firewall.service.custom" cfgobj="Custom-TCP_10443" cfgattr="" msg="Add firewall.service.custom Custom-TCP_10443"
-->
<rule id="81631" level="3">
<if_sid>81603</if_sid>
<action>Add</action>
<description>Fortigate: Firewall configuration changes</description>
<group>pci_dss_1.4,gpg13_4.13,hipaa_164.312.a.1,nist_800_53_SC.7,</group>
</rule>
<rule id="81632" level="4" frequency="16" timeframe="45" ignore="240">
<if_matched_sid>81631</if_matched_sid>
<same_source_ip />
<description>Fortigate: Multiple Firewall edit events from same source.</description>
<group>pci_dss_1.4,pci_dss_10.6.1,gpg13_4.13,gdpr_IV_35.7.d,hipaa_164.312.a.1,hipaa_164.312.b,nist_800_53_SC.7,nist_800_53_AU.6,</group>
</rule>
<!--
date=2016-06-15 time=21:35:09 devname=Device_Name devid=FGTXXXX9999999999 logid=0101039426 type=event subtype=vpn level=alert vd="root" logdesc="SSL VPN login fail" action="ssl-login-fail" tunneltype="ssl-web" tunnelid=0 remip=2.4.6.8 tunnelip=(null) user="my_user_name" group="N/A" dst_host="N/A" reason="sslvpn_login_unknown_user" msg="SSL user failed to logged in"
-->
<rule id="81614" level="4">
<if_sid>81603</if_sid>
<match>ssl-login-fail</match>
<description>Fortigate: SSL VPN User failed login attempt</description>
<group>authentication_failed,invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group>
</rule>
<rule id="81615" level="7" frequency="18" timeframe="45" ignore="240">
<if_matched_sid>81614</if_matched_sid>
<same_source_ip />
<options>alert_by_email</options>
<description>Fortigate: Multiple Firewall SSL VPN failed login events from same source.</description>
<group>authentication_failures,pci_dss_10.6.1,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AC.7,</group>
</rule>
<!--
date=2016-06-16 time=08:48:28 devname=Device_Name devid=FGTXXXX9999999999 logid=0100032003 type=event subtype=system level=information vd="root" logdesc="Admin logout successful" sn=1466062693 user="a@b.com.na" ui=https(4.3.5.253) action=logout status=success duration=615 state="Config-Changed" reason=exit msg="Administrator a@b.com.na logged out from https(2.3.8.1)"
-->
<rule id="81616" level="4">
<if_sid>81603</if_sid>
<action>logout</action>
<status>success</status>
<description>Fortigate: User logout successful</description>
<group>pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group>
</rule>
<rule id="81617" level="7" frequency="18" timeframe="45" ignore="240">
<if_matched_sid>81616</if_matched_sid>
<same_source_ip />
<description>Fortigate: Multiple Firewall logout events from same source.</description>
<group>pci_dss_10.2.5,gpg13_7.1,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group>
</rule>
<!--
date=2016-06-16 time=10:49:08 devname=Device_Name devid=FGTXXXX9999999999 logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=4.3.5.161 srcport=51082 srcintf="internal1" dstip=54.192.197.185 dstport=80 dstintf="wan1" poluuid=d6217c58-8c42-51e5-c3a6-c7766895cbfd sessionid=199618 proto=6 action=deny policyid=8 dstcountry="United States" srccountry="Reserved" trandisp=snat transip=160.242.8.82 transport=51082 service="HTTP" appid=6 app="BitTorrent" appcat="P2P" apprisk=high applist="default" appact=drop-session duration=3 sentbyte=60 rcvdbyte=3050 sentpkt=1 utmaction=block countapp=1 crscore=5 craction=1048576
-->
<rule id="81618" level="3">
<if_sid>81603</if_sid>
<match>type=traffic|type="traffic"</match>
<description>Fortigate: Traffic to be aware of.</description>
<group>pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
</rule>
<rule id="81619" level="3" frequency="18" timeframe="45" ignore="240">
<if_matched_sid>81618</if_matched_sid>
<same_source_ip />
<options>alert_by_email</options>
<description>Fortigate: Multiple high traffic events from same source.</description>
<group>pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
</rule>
<!--
date=2016-06-15 time=11:44:46 devname=Device_Name devid=FGTXXXX9999999999 logid=9999999999 type=utm subtype=webfilter eventtype=urlfilter level=warning vd="root" urlfilteridx=3 urlfilterlist="default" policyid=2 sessionid=1563645 user="" srcip=1.2.3.11 srcport=52414 srcintf="internal2" dstip=1.5.5.92 dstport=443 dstintf="wan2" proto=6 service=HTTPS hostname="4-edge-chat.facebook.com" profile="default" action=blocked reqtype=referral url="/p?partition=-2&cb=lz1k&failure=5&sticky_token=274&sticky_pool=atn2c06_chat-proxy" sentbyte=932 rcvdbyte=0 direction=outgoing msg="URL was blocked because it is in the URL filter list" crscore=30 crlevel=high
-->
<rule id="81620" level="3">
<if_sid>81603</if_sid>
<status>warning</status>
<action>blocked</action>
<description>Fortigate: URL Blocked by Firewall.</description>
<group>firewall_drop,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
</rule>
<rule id="81621" level="3" frequency="18" timeframe="45" ignore="240">
<if_matched_sid>81620</if_matched_sid>
<same_source_ip />
<description>Fortigate: Multiple URL blocked from same source.</description>
<group>multiple_drops,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
</rule>
<!--
date=2016-06-16 time=08:47:00 devname=Device_Name devid=FGTXXXX9999999999 logid=0101039947 type=event subtype=vpn level=information vd="root" logdesc="SSL VPN tunnel up" action="tunnel-up" tunneltype="ssl-tunnel" tunnelid=1050355638 remip=9.8.7.7 tunnelip=1.2.4.6 user="my_user_name" group="SSL_VPN" dst_host="N/A" reason="N/A" msg="SSL tunnel established"
-->
<rule id="81622" level="3">
<if_sid>81603</if_sid>
<match>level=information|level="information"</match>
<action>tunnel-up</action>
<description>Fortigate: VPN User connected.</description>
<group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group>
</rule>
<rule id="81623" level="4" frequency="18" timeframe="45" ignore="240">
<if_matched_sid>81622</if_matched_sid>
<same_source_ip />
<description>Fortigate: Multiple vpn user connected from same source.</description>
<group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group>
</rule>
<!--
date=2016-06-16 time=08:49:26 devname=Device_Name devid=FGTXXXX9999999999 logid=0101039948 type=event subtype=vpn level=information vd="root" logdesc="SSL VPN tunnel down" action="tunnel-down" tunneltype="ssl-tunnel" tunnelid=1050355638 remip=5.7.8.9 tunnelip=8.4.2.1 user="my_user_name" group="SSL_VPN" dst_host="N/A" reason="N/A" duration=147 sentbyte=2284 rcvdbyte=2630 msg="SSL tunnel shutdown"
-->
<rule id="81624" level="3">
<if_sid>81603</if_sid>
<match>level=information|level="information"</match>
<action>tunnel-down</action>
<description>Fortigate: VPN User disconnected.</description>
<group>pci_dss_10.2.5,gpg13_7.1,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group>
</rule>
<rule id="81625" level="4" frequency="18" timeframe="45" ignore="240">
<if_matched_sid>81624</if_matched_sid>
<same_source_ip />
<description>Fortigate: Multiple user disconnected events from same source.</description>
<group>pci_dss_10.2.5,gpg13_7.1,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group>
</rule>
<!--
date=2016-06-16 time=16:22:34 devname=Mobipay_Firewall devid=FGTXXXX9999999999 logid=0100032001 type=event subtype=system level=information vd="root" logdesc="Admin login successful" sn=1466090554 user="a@b.com.na" ui=https(10.42.8.253) action=login status=success reason=none profile="super_admin" msg="Administrator a@b.com.na logged in successfully from https(10.42.8.253)"
-->
<rule id="81626" level="3">
<if_sid>81603</if_sid>
<match>ui</match>
<status>success</status>
<action>login</action>
<description>Fortigate: User successfully logged into firewall interface.</description>
<group>pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.6,</group>
</rule>
<rule id="81627" level="4" frequency="18" timeframe="45" ignore="240">
<if_matched_sid>81626</if_matched_sid>
<same_source_ip />
<description>Fortigate: Multiple Firewall login events from same source.</description>
<group>pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
</rule>
<!--
Mar 22 19:21:00 10.10.10.10 date=2016-03-22 time=19:20:46 devname=Text devid=FGT3HD0000000000 logid=0000018000 type=anomaly subtype=anomaly level=alert vd="root" severity=critical srcip=10.10.10.35 dstip=10.10.10.84 srcintf="port2" sessionid=0 action=detected proto=6 service=tcp/36875 count=1903 attack="tcp_syn_flood" srcport=32835 dstport=2960 attackid=100663396 profile="DoS-policy1" ref="http://www.fortinet.com/ids/VID100663396" msg="anomaly: tcp_syn_flood, 2001 > threshold 2000, repeats 1903 times" crscore=50 crlevel=critical
Mar 22 19:21:00 10.10.10.10 date=2016-03-22 time=19:20:46 devname=Text devid=FGT3HD0000000000 logid=0000018000 type=anomaly subtype=anomaly level=alert vd="root" severity=critical srcip=10.10.10.61 dstip=10.10.10.84 srcintf="port2" sessionid=0 action=dropped proto=6 service=NONE count=9 attack="IP.Bad.Header" attackid=127 profile="N/A" ref="http://www.fortinet.com/ids/VID127" msg="anomaly: IP.Bad.Header, repeats 9 times" crscore=50 crlevel=critical
-->
<rule id="81628" level="11">
<if_sid>81603</if_sid>
<match>attack</match>
<action>detected</action>
<description>Fortigate Attack Detected</description>
<group>attack,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
</rule>
<rule id="81629" level="3">
<if_sid>81603</if_sid>
<match>attack</match>
<action>dropped</action>
<description>Fortigate Attack Dropped</description>
<group>attack,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
</rule>
<rule id="81630" level="3">
<if_sid>81603</if_sid>
<match>attack</match>
<action>clear_session</action>
<description>Fortigate Attack: Session cleared.</description>
<group>attack,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
</rule>
<!--
2018 Apr 09 16:05:06 inwazuhmgr->172.24.0.253 date=2018-04-09 time=16:05:06 devname=BA-RSYS-FW devid=FG600C3912803212 logid="1059028705" type="utm" subtype="app-ctrl" eventtype="app-ctrl-all" level="warning" vd="BA-EXORA" logtime=1523270106 appid=17244 srcip=172.24.150.115 dstip=139.59.35.216 srcport=62159 dstport=443 srcintf="port5" srcintfrole="undefined" dstintf="port4" dstintfrole="wan" proto=6 service="HTTPS" policyid=107 sessionid=3454918141 applist="block-high-risk" appcat="Proxy" app="OpenVPN" action="block" incidentserialno=798746654 msg="Proxy: OpenVPN," apprisk="elevated"
-->
<rule id="81633" level="3">
<if_sid>81603</if_sid>
<match>subtype="app-ctrl"|subtype=app-ctrl</match>
<action>pass</action>
<description>Fortigate: App passed by firewall.</description>
<group>pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
</rule>
<rule id="81634" level="3">
<if_sid>81603</if_sid>
<match>subtype="app-ctrl"|subtype=app-ctrl</match>
<action>block</action>
<description>Fortigate: App blocked by firewall.</description>
<group>firewall_drop,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
</rule>
<rule id="81635" level="3" frequency="16" timeframe="45" ignore="240">
<if_matched_sid>81620</if_matched_sid>
<same_source_ip />
<description>Fortigate: Multiple URL blocked from same source.</description>
<group>multiple_drops,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
</rule>
<!--
2018 Apr 09 16:03:11 inwazuhmgr->172.0.0.1 date=2018-04-09 time=16:03:11 devname=BA-BE-BI devid=FG600C1234567890 logid="0101037141" type="event" subtype="vpn" level="notice" vd="BA-BEBI" logtime=1523269991 logdesc="IPsec tunnel statistics" msg="IPsec tunnel statistics" action="tunnel-stats" remip=1.1.1.1 locip=1.1.1.1 remport=500 locport=500 outintf="port3" cookies="c95409asssss4d44/b8a16eeeeebe269a" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="AWS-VPN-B" tunnelip=N/A tunnelid=2490314698 tunneltype="ipsec" duration=243565 sentbyte=116502517 rcvdbyte=347903642 nextstat=600
-->
<rule id="81636" level="1">
<if_sid>81603</if_sid>
<match>type="event" subtype="vpn" level="notice"|type=event subtype=vpn level=notice|type=event,subtype=vpn,level=notice</match>
<description>Fortigate: VPN related information</description>
</rule>
<rule id="81637" level="1">
<if_sid>81603</if_sid>
<match>type="event" subtype="vpn" level="error"|type=event subtype=vpn level=error|type=event,subtype=vpn,level=error</match>
<description>Fortigate: VPN related error</description>
</rule>
<!--
May 31 08:58:56 172.0.0.1 date=2018-05-31 time=08:58:56 devname="BA-BEBI" devid="FG600C1234567890" logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="BA-BIBO" eventtime=1527737336 msg="File is infected." action="blocked" service="HTTP" sessionid=377413095 srcip=11.22.33.44 dstip=55.66.77.88 srcport=64982 dstport=80 srcintf="port5" srcintfrole="undefined" dstintf="port3" dstintfrole="wan" policyid=108 proto=6 direction="incoming" filename="FrontPageImgHandler.ashx" quarskip="File-was-not-quarantined." virus="Malware_Generic.P0" dtype="Virus" ref="http://www.fortinet.com/ve?vn=Malware_Generic.P0" virusid=7024603 url="http://www.badguys.web/FrontPageImgHandler.ashx?id=12" profile="Web-Browsing" agent="Chrome/66.0.3359.181" analyticscksum="a9165dbae34e6e2952270536e95a2bb154df61h6d95hfh6ee14b36123b" analyticssubmit="false" crscore=50 crlevel="critical"
-->
<rule id="81638" level="5">
<if_sid>81603</if_sid>
<match>subtype=virus|subtype="virus"</match>
<description>Fortigate: Virus detected.</description>
<group>pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
</rule>
<rule id="81639" level="5">
<if_sid>81638</if_sid>
<action>blocked</action>
<description>Fortigate: Blocked URL because a virus was detected.</description>
<group>firewall_drop,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
</rule>
<!--
2018 Jun 21 00:00:35 XXX->127.0.0.1 date=2018-06-21 time=03:00:35 devname="xxx" devid="FG123341414414" logid="111111111" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="xxx" eventtime=111111111 policyid=111 sessionid=111111111 srcip=127.0.0.1 srcport=11111 srcintf="port1" srcintfrole="undefined" dstip=127.0.0.1 dstport=111 dstintf="port111" dstintfrole="undefined" proto=1 service="XXX" hostname="xxxxx.com" profile="xx" action="passthrough" reqtype="direct" url="/xxxxxxxxxxxx" sentbyte=11 rcvdbyte=111 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=50 catdesc="Information and Computer Security"
NOTE: Since this rule can be noisy is set to level 0 by default.
-->
<rule id="81640" level="1">
<if_sid>81603</if_sid>
<status>notice</status>
<action>passthrough</action>
<description>Fortigate: URL belongs to an allowed category.</description>
</rule>
</group>