Fortinet black logo

Administration Guide

Security alarms

7.4.0
Copy Link
Copy Doc ID 5c5c1a78-d02f-11ee-8c42-fa163e15d75b:418760
Download PDF

Security alarms

FortiNAC generates a security alarm when a security rule runs.

When you click a specific alarm, the details of the event(s) that triggered the alarm appear in the Events tab. You can also create a new event rule based on the events in the list. The Actions Taken tab displays the actions that were taken for the alarm, the completion status, and whether they were successfully (if applicable).

The fields listed in the table below are displayed in columns on the Security Alarms view based on the selections you make in the Settings window.

Field

Definition

Add Filter

Allows you to select a field from the current view to filter information. Select the field from the drop-down list, and then enter the information you wish to filter. See Filters.

Update

Displays the filtered data in the table.

Pause

Allows user to pause the Security Alarms view from updating with new alarms so specific alarms can be viewed more easily.

Security alarms

Host MAC

The MAC address for the host that triggered the alarm. Click the MAC address to open the Modify Host window where you can register the host and modify host details. See Add or modify a host.

Alarm Date

The date when the alarm was created.

Matched Rule

The name of the rule that created the alarm.

Action

The associated action from the rule when the alarm was created or the action was taken on the alarm. Users can click the action to open the Modify Security Action window and modify the action. See .

If an action is associated to an alarm but was not taken, and the action is then deleted from the Security Actions view, the action is disassociated from the alarm and users may take a new action on the alarm.

If an action was taken on an alarm, and the action is then deleted from the Security Actions view, the action remains visible but is not editable.

Action Taken Date

If an action was taken, shows the date when the action was taken.

Action Taken By

The user who manually took the action on the alarm.

Action Undone Date

If the action was undone, shows the date when the action was undone.

Action Undone By

The user who manually undid the action.

Buttons

Export

Use the Export option to export a list of selected hosts to CSV, Excel, PDF, or RTF formats.

Options

Options displays the same series of menu picks displayed when the right-mouse button is clicked on a selected alarm.

Take Action

User can manually take action on the selected alarm, if action has not already been taken.

Undo Action

User can undo an action if the action has been taken on the selected alarm, but has not been undone.

View Host

Opens the Modify Host window to view and update the details of the host that triggered the alarm. See Add or modify a host.

Right click options

Take Action

User can manually take action on the selected alarm, if action has not already been taken.

Undo Action

User can undo an action if the action has been taken on the selected alarm. When the action is undone, the secondary task is performed on the host if enabled.

View Host

Opens the Modify Host window to view and update the details of the host associated with the selected security event. See Add or modify a host.

View in Host View

Opens the host in Host View. See Hosts.

Events tab

Event Date

The date when the event that triggered the alarm occurred.

Source IP

The IP address for the host that triggered the event.

Source MAC

The MAC address of the host that triggered the event.

Destination IP

The IP address of the host or device the source host was communicating with.

Alert Type

The type of security event that triggered the alarm.

Subtype

The subtype of the security event.

Severity

The severity of the event reported by the security appliance.

Threat ID

A unique identifying code supplied by the vendor for the specific type of threat or event that occurred.

Event Description

A description supplied by the security appliance of the event.

Location

The location of the source host is on the network. For example, this could be the SSID the host is connected to wirelessly, or the port the host is plugged into on a switch.

Right click options

View Details

Displays the details of the security event that triggered the alarm.

View Host

Opens the Modify Host window to view and update the details of the host associated with the selected security event. See Add or modify a host.

View in Host View

Opens the host in Host View. See Hosts.

Create Event Rule

Allows user to create a rule based on the selected events.

Actions taken tab

Action

The action that was taken on the alarm.

Completed

Indicates whether the action was completed.

Security alarms

FortiNAC generates a security alarm when a security rule runs.

When you click a specific alarm, the details of the event(s) that triggered the alarm appear in the Events tab. You can also create a new event rule based on the events in the list. The Actions Taken tab displays the actions that were taken for the alarm, the completion status, and whether they were successfully (if applicable).

The fields listed in the table below are displayed in columns on the Security Alarms view based on the selections you make in the Settings window.

Field

Definition

Add Filter

Allows you to select a field from the current view to filter information. Select the field from the drop-down list, and then enter the information you wish to filter. See Filters.

Update

Displays the filtered data in the table.

Pause

Allows user to pause the Security Alarms view from updating with new alarms so specific alarms can be viewed more easily.

Security alarms

Host MAC

The MAC address for the host that triggered the alarm. Click the MAC address to open the Modify Host window where you can register the host and modify host details. See Add or modify a host.

Alarm Date

The date when the alarm was created.

Matched Rule

The name of the rule that created the alarm.

Action

The associated action from the rule when the alarm was created or the action was taken on the alarm. Users can click the action to open the Modify Security Action window and modify the action. See .

If an action is associated to an alarm but was not taken, and the action is then deleted from the Security Actions view, the action is disassociated from the alarm and users may take a new action on the alarm.

If an action was taken on an alarm, and the action is then deleted from the Security Actions view, the action remains visible but is not editable.

Action Taken Date

If an action was taken, shows the date when the action was taken.

Action Taken By

The user who manually took the action on the alarm.

Action Undone Date

If the action was undone, shows the date when the action was undone.

Action Undone By

The user who manually undid the action.

Buttons

Export

Use the Export option to export a list of selected hosts to CSV, Excel, PDF, or RTF formats.

Options

Options displays the same series of menu picks displayed when the right-mouse button is clicked on a selected alarm.

Take Action

User can manually take action on the selected alarm, if action has not already been taken.

Undo Action

User can undo an action if the action has been taken on the selected alarm, but has not been undone.

View Host

Opens the Modify Host window to view and update the details of the host that triggered the alarm. See Add or modify a host.

Right click options

Take Action

User can manually take action on the selected alarm, if action has not already been taken.

Undo Action

User can undo an action if the action has been taken on the selected alarm. When the action is undone, the secondary task is performed on the host if enabled.

View Host

Opens the Modify Host window to view and update the details of the host associated with the selected security event. See Add or modify a host.

View in Host View

Opens the host in Host View. See Hosts.

Events tab

Event Date

The date when the event that triggered the alarm occurred.

Source IP

The IP address for the host that triggered the event.

Source MAC

The MAC address of the host that triggered the event.

Destination IP

The IP address of the host or device the source host was communicating with.

Alert Type

The type of security event that triggered the alarm.

Subtype

The subtype of the security event.

Severity

The severity of the event reported by the security appliance.

Threat ID

A unique identifying code supplied by the vendor for the specific type of threat or event that occurred.

Event Description

A description supplied by the security appliance of the event.

Location

The location of the source host is on the network. For example, this could be the SSID the host is connected to wirelessly, or the port the host is plugged into on a switch.

Right click options

View Details

Displays the details of the security event that triggered the alarm.

View Host

Opens the Modify Host window to view and update the details of the host associated with the selected security event. See Add or modify a host.

View in Host View

Opens the host in Host View. See Hosts.

Create Event Rule

Allows user to create a rule based on the selected events.

Actions taken tab

Action

The action that was taken on the alarm.

Completed

Indicates whether the action was completed.