FortiGate ASIM Authentication Parser: New Visibility for Fortinet Administrative Access Events

What Changed

New ASIM Authentication parser for Fortinet FortiGate that normalises administrator authentication events to the standardised Authentication schema.

Parser Impact

Two new functions added to the ASIM Authentication framework:

• ASimAuthenticationFortinetFortigate: Standard normalisation parser
• vimAuthenticationFortinetFortigate: Filtering-enabled parser with parameter support

The parser transforms FortiGate CEF logs from CommonSecurityLog table into ASIM-compliant authentication events. Processes both login (system event login) and logout (system event logout) activities while filtering out unrelated events like FortiCloud join attempts.

Detection Surface Unlocked

Data Source: FortiGate administrative authentication logs via CommonSecurityLog CEF format

Event Types Normalised:

• Administrator login attempts (success/failure with detailed failure reasons)
• Administrator logout events
• IP-based access policy violations
• Certificate authentication failures

Key Fields Mapped:

• Source IP address and target device identification
• Username and authentication result details
• Event timing and severity classification
• Failure categorisation (incorrect password, user disabled, policy violations)

This parser enables ASIM-based detections to monitor FortiGate administrative access patterns without vendor-specific query syntax.

Affected Files

ASIM/dev/ASimTester/ASimTester.csv
Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json
Parsers/ASimAuthentication/ARM/ASimAuthenticationFortinetFortigate/ASimAuthenticationFortinetFortigate.json
Parsers/ASimAuthentication/ARM/ASimAuthenticationFortinetFortigate/README.md
Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json
Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json
Parsers/ASimAuthentication/ARM/vimAuthenticationFortinetFortigate/README.md
Parsers/ASimAuthentication/ARM/vimAuthenticationFortinetFortigate/vimAuthenticationFortinetFortigate.json
Parsers/ASimAuthentication/CHANGELOG/ASimAuthentication.md
Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationFortinetFortigate.md
Parsers/ASimAuthentication/CHANGELOG/imAuthentication.md
Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationFortinetFortigate.md
Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml
Parsers/ASimAuthentication/Parsers/ASimAuthenticationFortinetFortigate.yaml
Parsers/ASimAuthentication/Parsers/imAuthentication.yaml
Parsers/ASimAuthentication/Parsers/vimAuthenticationFortinetFortigate.yaml