Event : VPN
Vendor Documentation
| https://www.fortinet.com/products.html https://docs.fortinet.com/document/fortigate/6.0.6/fortios-log-message-reference/524940/introduction |
Classification
Rule Name | Rule Type | Classification | Common Event |
|---|---|---|---|
| Event : VPN | Base Rule | Network Traffic | General VPN Traffic Event |
| VPN Event SSL VPN User SSL Login Fail | Sub Rule | Authentication Failure | Connection Authentication Failed |
| VPN Event SSL VPN Session Tunnel Stats | Sub Rule | Information | VPN Session Information |
| VPN Neg I P1 Error | Sub Rule | Error | General IPSec Error |
| VPN Conn Stats | Sub Rule | Information | General IPSec Information |
| VPN Event VPN Cert Regen | Sub Rule | Activity | Certificate Renewal Request |
| VPN Event SSL VPN User Tunnel DOWN | Sub Rule | Other Audit Success | VPN Connection Closed |
| VPN Event SSL VPN Session New Con | Sub Rule | Network Traffic | VPN Session Started |
| VPN Event SSL VPN Session Tunnel Up | Sub Rule | Network Traffic | VPN Session Started |
| VPN Event SSL VPN Session Tunnel Down | Sub Rule | Network Traffic | VPN Session Terminated |
| VPN Neg Generic P2 Notif IKEV2 | Sub Rule | Network Traffic | IPSec Negotiation |
| VPN Neg I P1 Error IKEV2 | Sub Rule | Error | IPSec Negotiation Error |
| VPN Neg Progress P1 Notif IKEV2 | Sub Rule | Information | IPSec Information Message |
| VPN Neg Progress P2 Notif IKEV2 | Sub Rule | Information | IPSec Information Message |
| VPN Conn Stats IKEV2 | Sub Rule | Information | IPSec Information Message |
| VPN Install SA IKEV2 | Sub Rule | Information | Installed IPSec Security Association |
| VPN Neg Progress P1 Error | Sub Rule | Error | IPSec Progress Error |
| VPN Neg Progress P2 Error | Sub Rule | Error | IPSec Progress Error |
| VPN Neg Progress P1 Error IKEV2 | Sub Rule | Error | IPSec Progress Error |
| VPN Event SSL VPN Session Cert Ok | Sub Rule | Information | Certificate Valid |
| VPN Event SSL VPN User Tunnel UP | Sub Rule | Other Audit Success | VPN Session Started |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
| severity | <severity> | Text/String | severity |
| logid | <vmid> <tag1> | Number | N/A |
| logdesc | <status> | Text/String | N/A |
| action | <action> | Text/String | N/A |
| tunnelid | <session> | Text/String/Number | N/A |
| remip | <sip> | IP Address | N/A |
| user | N/A | Text/String | N/A |
| group | <group> | Text/String | N/A |
| dst_host | <dname> | Text/String | N/A |
| reason | <reason> | Text/String | N/A |
| duration | <seconds> | Number | N/A |
| sentbyte | <bytesout> | Number | N/A |
| rcvdbyte | <bytesin> | Number | N/A |
| msg | <subject> | Text/String | N/A |
| locip | <dip> | IP Address | IP Address |
| remport | <sport> | Number | N/A |
| locport | <dport> | Number | N/A |
| outintf | <sinterface> | Text/String/Number | N/A |
| result | <result> | Text/String | N/A |