Zscaler setup

Cloud NSS

Zscaler Cloud NSS is a managed service from Zscaler. When using Cloud NSS, you do not need to deploy the NSS Virtual Machines. Cloud NSS sends logs to a HTTP endpoint or an S3 bucket. The integration with FortiNDR is through the S3 bucket path. Check with your Zscaler Account team to ensure you have this subscription enabled.

Cloud NSS Setup for S3

Ensure that you have the following to configure Zscaler Cloud NSS. Contact Fortinet Support to obtain these values.

• AWS Access Id
• AWS Secret Key
• S3 Folder URL

Using S3 requires the correct set of permissions and configuration. To learn more, see the Zscaler and S3 Deployment Guide, section Zscaler Cloud NSS with Amazon S3, on setting up S3 to work with Cloud NSS.

Configuring Cloud NSS for Web Logs

The following configuration information was adapted from the Zscaler and Fortinet Deployment Guide.

To configure Cloud NSS for Web Logs:

1. Log in as an administrator and go to Administration > Nanolog Streaming Service.
2. Go to Cloud NSS Feeds and click Add Cloud NSS Feed.
3. In the Add Cloud NSS Feed dialog, configure the following:

   Feed Name	Enter a Feed Name.
   NSS Type	Select NSS for Web.
   Status	Enabled
   SIEM Rate	Unlimited
   SIEM Type	S3
   AWS Access Id	Enter the access ID.
   AWS Secret Key	Enter the secret key.
   S3 Folder URL	Enter the folder URL.
   HTTP Headers	Enter a dummy HTTP key and value pair. This is required.
   Log Type	Select Web Log.
   Feed Output Type	Select Custom.
   Feed Escape Character	Enter ,\"
   Feed Output Format	zscaler_log_type=web\ttimestamp=%d{yyyy}-%02d{mth}-%02d{dd}T%02d{hh}:%02d{mm}:%02d{ss} Z\tzscaler_recordid=%d{recordid}\tzscaler_proto=%s{proto}\tsrc_ip=%s{cip}\tdst_ ip=%s{sip}\tstatus_code=%s{respcode}\tmethod=%s{reqmethod}\tuser_agent=%s{ua}\ treferrer=%s{ereferer}\trequest_length=%d{reqsize}\tresponse_length=%d{resp- size}\turi=%s{eurl}\tfile_md5=%s{bamd5}\tcontent_type=%s{contenttype}\tclient_ci- pher=%s{clientsslcipher}\tclient_version=%s{clienttlsversion}\tserver_cipher=%s{s- rvsslcipher}\tserver_version=%s{srvtlsversion}\tzscaler_username=%s{login}\ tzscaler_hostname=%s{devicehostname}

Configuring Cloud NSS for Firewall Logs

To configure Firewall logs, follow the steps in Configuring Cloud NSS for Web Logs with the following exceptions.

NSS Type	Select NSS for Firewall.
Log Type	Select Firewall Logs.
Firewall Log Type	Both Session and Aggregate Logs
Feed Output Format	zscaler_log_type=firewall\ttimestamp=%d{yyyy}-%02d{mth}-%02d{dd} T%02d{hh}:%02d{mm}:%02d{ss}Z\tzscaler_recordid=%d{recordid}\tsrc_ip=%s{c- sip}\tsrc_port=%d{csport}\tdst_ip=%s{cdip}\tdst_port=%d{cdport}\tdura- tion=%d{durationms}\tprotocol=%s{ipproto}\tservice=%s{nwsvc}\trequest_ bytes=%ld{outbytes}\tresponse_bytes=%ld{inbytes}\tzscaler_username=%s{login}\

Configuring Cloud NSS for DNS Logs

To configure DNS logs, follow the steps in Configuring Cloud NSS for Web Logs with the following exceptions.

NSS Type	Select NSS for Firewall.
Log Type	Select DNS Logs.
Feed Output Format	zscaler_log_type=dns\ttimestamp=%d{yyyy}-%02d{mth}-%02d{dd}T%02d{hh}:%02d{mm}:%02d{ss} Z\tzscaler_recordid=%d{recordid}\tsrc_ip=%s{cip}\tdst_ip=%s{sip}\tdst_port=%d{sport}\ tquery=%s{req}\tqtype_name=%s{reqtype}\tresponse=%s{res}\tzscaler_username=%s{login}\