Task 1 - Preparation of FortiAnalyzer and FortiWeb

Prepare FortiAnalyzer and FortiWeb for the Lab

This Chapter includes necessary steps to setup Log shipping and Event Monitoring with FortiAnalyzer of FortiWeb. Please make sure you have completed this section before moving on!

FortiWeb Preparations

  1. Login to FortiWeb with the give credentials

image-20230709100007610 image-20230709100007610

  1. On the left sided menu, goto Log&Report - Log Policy - FortiAnalyzer Policy

image-20230709100136898 image-20230709100136898

  1. Select Create New at the top left to open the Configuration Wizard

image-20230709100218505 image-20230709100218505

  1. Provide a meaningful name for the Policy and the click OK to save

image-20230709100329362 image-20230709100329362

  1. After the Policy has been saved, click on Create New to a add a new entry to the policy
  2. Enter the IP Address of Fortianalyzer into the corresponding field, then click on OK to add the entry

image-20230709100501970 image-20230709100501970

  1. Check that the new entry was added successfully, click OK again to make sure that everything is saved.

image-20230709100708834 image-20230709100708834

  1. On the left sided menu, goto Log&Report - Log Config - Global Log Settings

image-20230709100817629 image-20230709100817629

  1. Enable FortiAnalyzer and select the previous configured FortiAnalyzer Policy

image-20230709100858606 image-20230709100858606

  1. Click on Apply at the bottom of the Page to save the configuration.

  2. To enable the global logging, open the built-in CLI by clicking on the >_ Symbol the to top right

image-20230709101052663 image-20230709101052663

  1. Execute the following commands
config log traffic-log
set status enable
end
  1. Logging of FortiWeb to FortiAnalyzer is now enabled. Please proceed with the configuration of FortiAnalyzer

FortiAnalyzer Preparations

  1. Login to FortiAnalyzer with the given Credentials

image-20230709101603138 image-20230709101603138

  1. Goto Device Manager and click on Add Device to add FortiWeb

imagesoar8 imagesoar8

  1. Provide the follwoing Information, then click on Next to proceed with the configuration.

    • Name: FortiWeb
    • Serial Number: (This can be found at the Dashboard of FortiWeb)

    imagesoar9 imagesoar9

    image-20230709102101586 image-20230709102101586

    1. Wait until the Device got added successfully. Then click on Finish to close the wizard.

    image-20230709102205239 image-20230709102205239

    1. To finalize the FortiWeb configuration, select the entry from the Device table and click on Edit

    image-20230709102329079 image-20230709102329079

    1. Update Admin User and Password with the given credentials, then click on OK to save.

    image-20230709102616262 image-20230709102616262

    1. To be able to feed Security Events within FortiSOAR, Events need to get generated within the Event Monitor. For this to work, a so called Handler needs to be in Place. The Handler for FortiWeb is disabled by default and needs to be enabled. For this, goto Incidents & Events - Handlers

    image-20230709102903218 image-20230709102903218

    1. Select the Basic Handlers Tab, then use the Search field at the top right to search for FWB

    image-20230709103021477 image-20230709103021477

    1. Right click on the search result, click on Enable to activate the handler.

    image-20230709103116772 image-20230709103116772

    1. Check that the Status changes from disabled to enabled (green checkmark)

    image-20230709103200793 image-20230709103200793

    1. As soon as FortiWeb detects an attack, a new Event entry will get added. See the following Example:

    image-20230709103500888 image-20230709103500888

    Please make sure, that a Web Protection Profile is used within the configured FortiWeb Policy. The default policies provided by FortiWeb are more than enough with regards to this lab.

    image-20230709103720408 image-20230709103720408

  2. Congratulations, you are done with the preparations. Please continue to the next Section of the Lab.