Log service expiration nearing-fortinet-FortiOS

warn
fortios
fortinet
Log service expiration nearing-fortinet-FortiOS
0

#1

Log service expiration nearing-fortinet-FortiOS

Vendor: fortinet

OS: FortiOS

Description:
Indeni will alert when Fortinet log service is about to expire.

Remediation Steps:
Renew any log services that need to be renewed.
||
|1. Login via ssh to the Fortinet firewall and execute the FortiOS “get system fortiguard-service status” and “diag autoupdate versions”
|>>> commands to list current update package versions and license expiry status.
|2. Login via https to the Fortinet firewall and go to the menu System > Dashboard > Status to locate the License Information widget.
|>>> All subscribed services should have a green checkmark, indicating that connections are successful. A gray X indicates that the
|>>> FortiGate unit cannot connect to the FortiGuard network, or that the FortiGate unit is not registered. A red X indicates that
|>>> the FortiGate unit was able to connect but that a subscription has expired or has not been activated.
|3. Login via https to the Fortinet firewall to view the FortiGuard connection status by going to System > Config > FortiGuard menu.
|4. Purchase additional licenses if needed.
|5. Consider enabling the alert email setting to the Fortinet firewall in order to receive an alert email prior to FortiGuard license
|>>> expiration (notification date range: 1 - 100 days). The current alert email status can be provided with the next command:
|>>> “get alertemail setting”. More details can be found at: https://docs.fortinet.com/uploaded/files/2798/fortigate-cli-ref-54.pdf
|6. For more information about licensing review the next online article “Setting up FortiGuard services” :
|>>> http://cookbook.fortinet.com/setting-fortiguard-services-54/
|7. If the problem persists, contact Fortinet Technical support at https://support.fortinet.com/ for further assistance.

How does this work?
This script logs in to the Fortigate via SSH and retrieves the remote log service name by using the FortiOS command “get system fortiguard-log-service status”. In addition, this FortiOS command returns information about the status of the FortiGuard/FortiCloud Log & Analysis Service including license and disk information.

Why is this important?
This metric returns information for the expiration date of the configured FortiGuard / FortiCloud Log analysis service. Check the link below for more information: https://docs.fortinet.com/uploaded/files/3679/fortigate-cli-ref-54.pdf

Without Indeni how would you find this?
This information can be provided via logging.

fortios-fortiguard-log-service-status

#! META
name: fortios-fortiguard-log-service-status
description: Fortinet Firewall FortiGuard and FortiCloud Log Service Status
type: monitoring
monitoring_interval: 10 minutes
requires:
    vendor: fortinet
    os.name: FortiOS
    product: firewall
    vdom_enabled: false
    vdom_root: true

# --------------------------------------------------------------------------------------------------
# The script publish the following metrics
#
# [fortios-log-service-name]              [FortiCloud | FortiGuard Log & Analysis Service]
# [fortios-log-service-expire-date]       [datetime (expire date)]
# [fortios-log-service-disk-quota]        [string, the logging space]
# [fortios-log-service-max-daily-volume]  [string, max daily volume]
# [fortios-log-disk-quota-usage]          [string, the current logging space]
# --------------------------------------------------------------------------------------------------


#! COMMENTS
fortios-log-service-name:
    why: |
        This metric returns information about the configured FortiGuard / FortiCloud Log analysis service. Check the
        link below for more information:
        https://docs.fortinet.com/uploaded/files/3679/fortigate-cli-ref-54.pdf
    how: |
        This script logs in to the Fortigate via SSH and retrieves the remote log service name by using the FortiOS
        command "get system fortiguard-log-service status". In addition, this FortiOS command returns information about
        the status of the FortiGuard/FortiCloud Log & Analysis Service including license and disk information.
    without-indeni: |
        The user would have to login to the device and use the "get system fortiguard-log-service status" command to
        identify the utilized FortiGuard / FortiCloud Log analysis service.
    can-with-snmp: false
    can-with-syslog: false

fortios-log-service-expire-date:
    why: |
        This metric returns information for the expiration date of the configured FortiGuard / FortiCloud Log analysis
        service. Check the link below for more information:
        https://docs.fortinet.com/uploaded/files/3679/fortigate-cli-ref-54.pdf
    how: |
        This script logs in to the Fortigate via SSH and retrieves the remote log service name by using the FortiOS
        command "get system fortiguard-log-service status". In addition, this FortiOS command returns information about
        the status of the FortiGuard/FortiCloud Log & Analysis Service including license and disk information.
    without-indeni: |
        This information can be provided via logging.
    can-with-snmp: false
    can-with-syslog: true

fortios-log-service-disk-quota:
    why: |
        This metric returns information about the total disk quota of the configured FortiGuard / FortiCloud Log
        analysis services. Check the link below for more information:
        https://docs.fortinet.com/uploaded/files/3679/fortigate-cli-ref-54.pdf
    how: |
        This script logs in to the Fortigate via SSH and retrieves the remote log service name by using the FortiOS
        command "get system fortiguard-log-service status". In addition, this FortiOS command returns information about
        the status of the FortiGuard/FortiCloud Log & Analysis Service including license and disk information.
    without-indeni: |
        The user would have to login to the device and use the "get system fortiguard-log-service status" command to
        identify the total disk quota utilized for FortiGuard / FortiCloud Log analysis service.
    can-with-snmp: false
    can-with-syslog: false

fortios-log-service-max-daily-volume:
    why: |
        This metric returns information with the Maximum Daily volume of logs applied to FortiGuard / FortiCloud Log
        analysis services. Check the link below for more information:
        https://docs.fortinet.com/uploaded/files/3679/fortigate-cli-ref-54.pdf
    how: |
        This script logs in to the Fortigate via SSH and retrieves the remote log service name by using the FortiOS
        command "get system fortiguard-log-service status". In addition, this FortiOS command returns information about
        the status of the FortiGuard/FortiCloud Log & Analysis Service including license and disk information.
    without-indeni: |
        The user would have to login to the device and use the "get system fortiguard-log-service status" command to
        identify the maximum daily volume of logs applied to FortiGuard / FortiCloud Log analysis service.
    can-with-snmp: false
    can-with-syslog: false

fortios-log-disk-quota-usage:
    why: |
        This metric returns information with the current disk quota usage for the Fortiguard / FortiCloud Log analysis
        services. Check the link below for more information:
        https://docs.fortinet.com/uploaded/files/3679/fortigate-cli-ref-54.pdf
    how: |
        This script logs in to the Fortigate via SSH and retrieves the remote log service name by using the FortiOS
        command "get system fortiguard-log-service status". In addition, this FortiOS command returns information about
        the status of the FortiGuard/FortiCloud Log & Analysis Service including license and disk information.
    without-indeni: |
        The user would have to login to the device and use the "get system fortiguard-log-service status" command to
        identify the current disk quota usage of logs applied to FortiGuard / FortiCloud Log analysis service.
    can-with-snmp: false
    can-with-syslog: false


#! REMOTE::SSH
get system fortiguard-log-service status

#! PARSER::AWK

#-----------------------------------------------------------------------
# Helper function.
# Split the input string using ':' as a delimiter and return second part.
# For example for input 'packets:5' the result is '5'
#-----------------------------------------------------------------------
function getSecondPart(stringWithDelim) {
    split(stringWithDelim, stringArray, ":")
    return stringArray[2]
}

# The first line starting with 'Forti' (FortiGuard or FortiCloud)
#FortiGuard Log & Analysis Service
#FortiCloud
/^Forti/{

    log_service_name = $0
    writeComplexMetricStringWithLiveConfig("fortios-log-service-name", null,  log_service_name, "Log Service Name")
}


#Expire on: 20071231
/^Expire on: /{

    #Read the date in format '20071231'
    date_str = $3

    # Split the date in year,month,day
    year = substr(date_str,1,4)
    month = substr(date_str,5,2)
    day = substr(date_str,7,2)

    # Convert date in epoch-seconds
    date_expire = date(year, month, day)

    # Set from first-line parsing
    tags["name"] = log_service_name
    writeDoubleMetricWithLiveConfig("fortios-log-service-expire-date", tags, "gauge", 300, date_expire , "Expire date for Forti Log service", "date", "")
}


#Total disk quota: 1111 MB
/^Total disk quota:/{

    total_disk = getSecondPart($0)
    writeComplexMetricStringWithLiveConfig("fortios-log-service-disk-quota", null,  total_disk, "Total Disk Quota")
}

#Max daily volume: 111 MB
/^Max daily volume:/{

    max_daily = getSecondPart($0)
    writeComplexMetricStringWithLiveConfig("fortios-log-service-max-daily-volume", null,  max_daily, "Max Daily Volume")
}

#Current disk quota usage: 342 MB
/^Current disk quota usage:/{

    disk_quota_usage = getSecondPart($0)
    writeComplexMetricStringWithLiveConfig("fortios-log-disk-quota-usage", null,  disk_quota_usage, "Current disk quota usage")

}





RuleMetadata

.builder(
  "FortinetLogServiceWillExpire
package com.indeni.server.rules.library.fortinet

import com.indeni.apidata.time.TimeSpan
import com.indeni.apidata.time.TimeSpan.TimePeriod
import com.indeni.ruleengine.expressions.conditions.{And, GreaterThan, LesserThan}
import com.indeni.ruleengine.expressions.core.{StatusTreeExpression, _}
import com.indeni.ruleengine.expressions.data._
import com.indeni.ruleengine.expressions.math.PlusExpression
import com.indeni.ruleengine.expressions.utility.NowExpression
import com.indeni.server.common.data.conditions.True
import com.indeni.server.params.ParameterDefinition
import com.indeni.server.params.ParameterDefinition.UIType
import com.indeni.server.rules._
import com.indeni.server.rules.library.core.PerDeviceRule
import com.indeni.server.rules.library.{ConditionalRemediationSteps, RuleHelper}
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity

case class FortinetLogServiceWillExpire() extends PerDeviceRule with RuleHelper {

  private val highThresholdParameterName = "ahead_alerting_threshold"
  private val highThresholdParameter = new ParameterDefinition(
    highThresholdParameterName,
    "",
    "Expiration Threshold",
    "How long before log service expiration should Indeni alert.",
    UIType.TIMESPAN,
    TimeSpan.fromDays(30)
  )

  override val metadata: RuleMetadata = RuleMetadata
    .builder(
      "FortinetLogServiceWillExpire",
      "Fortinet Devices: Log service expiration nearing",
      "Indeni will alert when Fortinet log service is about to expire.",
      AlertSeverity.WARN
    )
    .configParameter(highThresholdParameter)
    .build()

  override def expressionTree(context: RuleContext): StatusTreeExpression = {
    val actualValue = TimeSeriesExpression[Double]("fortios-log-service-expire-date").last.toTimeSpan(TimePeriod.SECOND)

    StatusTreeExpression(
      // Which objects to pull (normally, devices)
      SelectTagsExpression(context.metaDao, Set(DeviceKey), True),
      // What constitutes an issue
      StatusTreeExpression(
        // The additional tags we care about (we'll be including this in alert data)
        SelectTagsExpression(context.tsDao, Set("name"), withTagsCondition("fortios-log-service-expire-date")),
        StatusTreeExpression(
          // The time-series we check the test condition against:
          SelectTimeSeriesExpression[Double](context.tsDao, Set("fortios-log-service-expire-date"), denseOnly = false),
          // The condition which, if true, we have an issue. Checked against the time-series we've collected
          And(
            GreaterThan(
              actualValue,
              NowExpression()
            ),
            LesserThan(actualValue,
                       PlusExpression[TimeSpan](NowExpression(),
                                                getParameterTimeSpanForTimeSeries(highThresholdParameter)))
          )

          // The Alert Item to add for this specific item
        ).withSecondaryInfo(
            scopableStringFormatExpression("${scope(\"name\")}"),
            scopableStringFormatExpression("Will expire on %s", timeSpanToDateExpression(actualValue)),
            title = "Affected Log Services"
          )
          .asCondition()
      ).withoutInfo().asCondition()
    ).withRootInfo(
      getHeadline(),
      ConstantExpression("One or more log services are about to expire. See the list below."),
      ConditionalRemediationSteps(
        "Renew any log services that need to be renewed.",
        ConditionalRemediationSteps.VENDOR_FORTINET ->
          """
            |1. Login via ssh to the Fortinet firewall and execute the FortiOS "get system fortiguard-service status" and "diag autoupdate versions"
              |>>> commands to list current update package versions and license expiry status.
            |2. Login via https to the Fortinet firewall and go to the menu System > Dashboard > Status to locate the License Information widget.
              |>>> All subscribed services should have a green checkmark, indicating that connections are successful. A gray X indicates that the
              |>>> FortiGate unit cannot connect to the FortiGuard network, or that the FortiGate unit is not registered. A red X indicates that
              |>>> the FortiGate unit was able to connect but that a subscription has expired or has not been activated.
            |3. Login via https to the Fortinet firewall to view the FortiGuard connection status by going to System > Config > FortiGuard menu.
            |4. Purchase additional licenses if needed.
            |5. Consider enabling the alert email setting to the Fortinet firewall in order to receive an alert email prior to FortiGuard license
              |>>> expiration (notification date range: 1 - 100 days). The current alert email status can be provided with the next command:
              |>>> "get alertemail setting". More details can be found at: https://docs.fortinet.com/uploaded/files/2798/fortigate-cli-ref-54.pdf
            |6. For more information about licensing review  the next  online article "Setting up FortiGuard services" :
              |>>> http://cookbook.fortinet.com/setting-fortiguard-services-54/
            |7. If the problem persists, contact Fortinet Technical support at https://support.fortinet.com/ for further assistance.""".stripMargin
            .replaceAll("\n>>>", "")
      )
    )
  }
}