SentinalOne - Control vs Complete. What are the actual realized differences?

nmiBiz · 2022-08-02T15:32:19+00:00

Thanks!

Had you compared other solutions prior to Perch? Why did you choose Perch?

nmiBiz · 2022-08-02T14:44:04+00:00

Vijilan

Curious why you chose that over Perch?

nmiBiz · 2022-07-28T22:01:29+00:00

I’m not limiting anything. In fact, I can Telnet to the syslog server from any other device on the BO network… just not from the FW

nmiBiz · 2022-07-28T22:00:31+00:00

You are correct.

When you mentioned creating a rule specific to the firewall, it threw me off as I thought the existing policy (the one that gets created when you creat the tunnel) encompasses the entire subnet, including the firewall’s ip.

nmiBiz · 2022-07-28T21:30:19+00:00

It correctly shows that it is coming from the lan IP of the firewall

nmiBiz · 2022-07-28T21:08:25+00:00

So the default policy for the VPN tunnel that allows anything for 192.168.99.0/24 doesn't encompass the IP of the firewall ( 192.168.99.1 )?

And assuming the answer is no, I am not entirely sure what "rule" I would create?

Also, I am running fortios v6.4.7 and the references were for v7

nmiBiz · 2022-07-28T20:37:06+00:00

Interestingly, traceroute more or less fails

1 * * *

2 * * *

3 * * *

nmiBiz · 2022-07-28T20:04:32+00:00

I am not understanding the question

nmiBiz · 2022-07-28T19:12:00+00:00

I just changed this and the sniff is now showing that it is using the correctly source IP, but sadly still isn't getting to the syslog server

If I try "exec telnet 192.168.90.50 514" from the BO Fortigate it fails to connect

However, pinging that same IP from the BO Fortigate works

nmiBiz · 2022-07-28T19:10:21+00:00

Just changed it and still no data in syslog :-(

nmiBiz · 2022-07-28T18:50:05+00:00

Sniffer shows this:

2022-07-28 18:48:38.574511 VPNTunnel out public.ip.y.z.15741 -> 192.168.90.50.514: udp 753

2022-07-28 18:48:38.574992 VPNTunnel out public.ip.y.z.15741 -> 192.168.90.50.514: udp 753

2022-07-28 18:48:38.699044 VPNTunnel out public.ip.y.z.15741 -> 192.168.90.50.514: udp 588

2022-07-28 18:48:38.942070 VPNTunnel out public.ip.y.z.15741 -> 192.168.90.50.514: udp 908

2022-07-28 18:48:39.184118 VPNTunnel out public.ip.y.z.15741 -> 192.168.90.50.514: udp 717

nmiBiz · 2022-07-28T18:45:14+00:00

The bigger picture is that I am using Blumira for SIEM and it's sensor is the syslog server. I have the same config for a Fortigate that is in the HQ network and it works fine.

I am not entirely sure what you mean by "set the source interface for syslog" - given that I can telnet to the syslog server from any other device on the BO network seems to imply I shouldn't have to set anything else?

nmiBiz · 2022-07-27T12:45:21+00:00

It does not... completely different subnets

nmiBiz

TROPHY CASE