[BUG] Fortigate firewall send udp syslog will have alert, send tcp syslog without alert

[davidngrc]

OS: new ubuntu server 24.04, without anything else install.
Browser : Windows Chrome latest
Version : v10.5.7

We have 2 fortunate firewall.
I have set it up to set tcp syslog to UTMStack agent on port 7005
on UTM UI top menu -> Data Source -> Source, I see the two firewall are added.
and I see some log are coming in, but there is no error.

I changed the fortigate firewall to send udp syslog to the same agent on port 7005.
now, on UTM UI, I see a lot of alert on the "top right -> alarm bell icon", after I click that icon, it show a lot of alert like
"Connection attempt from a blacklisted IP address"
"threatwinds: Connection attempt to a blacklisted IP address-17218...."
"ThreatWinds: Connection attempt from a blacklisted IP address-17116...."

then I changed the firewall setting to send tcp syslog.
no more such log alert.

then I changed the firewall setting to send udp syslog.
the alert log appear again.

so, it seems UTMStack handle udp and tcp syslog differently?

[osmontero]

I will move this to discussions until it become confirmed as a bug.

[c3s4rfred]

Hi @davidngrc the way to handle udp and tcp is the same, that's and strange behavior that we haven't see before, we will check, but in the mean time, please, check your network, maybe you have some rules that changes the origin IP address according to the protocol and generates that alerts. Other thing to know is that, in case of Fortinet we capture the value of "devname" as dataSource if present, so, maybe in case of udp your device send the IP in devname log field and is a blacklisted IP, so the alert rise up. If devname field isn't present we identify as datasource the origin log machine's IP.
In case of Fortiweb we identify as datasource the origin log machine's IP.

Best regards

[Kbayero]

@davidngrc could you pls provide example logs in both cases?

[davidngrc]

@Kbayero new to this software, may I know how to get the log you mention?

[c3s4rfred]

Hi @davidngrc, we're talking about an original syslog log sent from the device by TCP and UDP to our platform, of course, change the ips, computer names and other sensible information. Also, go to Log explorer menu, select log-firewall-fortigate-traffic-*, and send some logs to us as a file .txt, again, be careful with IPs, MACs and other sensible information.

Best regards