Hot!Malformated CEF

Author
epernot
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/04/09 04:39:40
  • Status: offline
2018/04/09 04:51:43 (permalink)
0

Malformated CEF

Hello, 
 
From FortiWEB 5.4 to 5.8  the CEF  logs has been changed. 
The FortiWEB is sending the destination hostname with  " in the field, this is not supposed to be done that way because then arcsight doesnt eliminate the " from the hostname.  
 
Another issue it the fact that destination hostname sometime is a IP when there's already an IP in the destination address field.  
 
The CEF field "request" is supposed to contain the protocol, hostname/IP, port and path but now there's only the path in it. 
 
FortiWEB in the version 5.4 was way better than 5.8, is there a way to get the reasons why the logs are gettings such bad quality now ?  
 
 
Thanks 
Sad User
#1

2 Replies Related Threads

    emnoc
    Expert Member
    • Total Posts : 4990
    • Scores: 306
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Malformated CEF 2018/04/09 05:44:30 (permalink)
    0
    Have you open a case with FTNT-support ? They could address the issues, and I'm assuming the format was different before the upgrade?

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #2
    epernot
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/04/09 04:39:40
    • Status: offline
    Re: Malformated CEF 2018/04/09 06:26:34 (permalink)
    0
    I should ask my customer to open a ticket, he's doing it already , lets see the answer.
    I was open to see someone from fortinet replying because this is impacted many more customer. 
    #3
    Jump to:
    © 2018 APG vNext Commercial Version 5.5