Fortinet white logo
Fortinet white logo

External Systems Configuration Guide

Fortinet FortiGate Firewall

Fortinet FortiGate Firewall

What is Discovered and Monitored

Protocol

Information Discovered

Metrics collected

Used for

SNMP Host name, Hardware model, Network interfaces, Operating system version Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths).
For 5xxx series firewalls, per CPU utilization (event PH_DEV_MON_FORTINET_PROCESSOR_USGE)
Availability and Performance Monitoring
Telnet/SSH Running configuration Configuration Change Performance Monitoring, Security and Compliance
Syslog Device type All traffic and system logs Availability, Security and Compliance
Netflow Firewall traffic, application detection and application link usage metrics Security monitoring and compliance, Firewall Link Usage and Application monitoring

Event Types

In ADMIN > Device Support > Event, search for "fortigate" in the Name and Description columns to see the event types associated with this device.

Rules

In Resource > Rules, search for "fortigate" in the Name column to see the rules associated with this device.

Reports

Search for Reports under Network device, Firewall and Security groups.

Configuring SNMP on FortiGate

Follow these steps to configure SNMP on FortiGate. For more information on configuring the FortiGate to allow detailed interface monitoring using SNMP, see Data Source in the FortiSIEM User’s Guide.

  1. Log in to your firewall as an administrator.
  2. Go to System > Network.
  3. Select the FortiGate interface IP that FortiSIEM will use to communicate with your device, and then click Edit.
  4. For Administrative Access, makes sure that SSH and SNMP are selected.
  5. Click OK
  6. Go to System > Config > SNMP v1/v2c.
  7. Click Create New to enable the public community.

Configuring SSH on FortiSIEM to communicate with FortiGate

caution icon

FortiSIEM Collector SSH Client, when communicating to FortiGate via SSH, may use the public key authentication method first. This may fail and create some alerts in FortiGate. To prevent this, modify the per user config file as follows:

  1. Log in to the FortiSIEM node that communicates to FortiGate via SSH, as admin.
  2. Open /opt/phoenix/bin/.ssh/config and create a new file, if necessary.
  3. Add these two lines and save:
    PreferredAuthentications password
    PubkeyAuthentication no
  4. Ensure that the owner is admin:
    chown admin.admin /opt/phoenix/bin/.ssh/config
    chmod 600 /opt/phoenix/bin/.ssh/config
  5. Verify using the commands:
    su admin
    ssh -v <fgt host>

    Verification is successful if the following files are found:

Alternatively, modify the global ssh_config file as below. Since this is a global configuration, all programs will use this setting.

  1. Log in to a FortiSIEM node that communicates to FortiGate via SSH, as root.
  2. Open /etc/ssh/ssh_config
  3. Add these two lines:
    PreferredAuthentications password
    PubkeyAuthentication no

These commands are used for discovery and performance monitoring via SSH. Please make sure that the access credentials you provide in FortiSIEM have the permissions necessary to execute these commands on the device.

show firewall address

show full-configuration

Sending Logs Over VPN

If you are sending these logs across a VPN, Fortigate will try to use the WAN interface for the source of all system traffic. You can change this by setting the source-ip option to the IP used on the Fortigates Internal/LAN interface.

With the Web GUI
  1. Log in to your firewall as an administrator.
  2. Go to Log & Report > Log Config > syslog.
  3. Enter the IP Address, Port Number, and Minimum Log Level and Facility for your FortiSIEM virtual appliance.
  4. Make sure that CSV format is not selected.
With the CLI
  1. Connect to the Fortigate firewall over SSH and log in.
  2. To configure your firewall to send syslog over UDP, enter this command, replacing the IP address 192.168.53.2 with the IP address of your FortiSIEM virtual appliance.
    config log syslogd setting
        set status enable
        set server "192.168.53.2"    set facility user
    	set port 514
    end
  3. Verify the settings.
    frontend # show log syslogd setting
    config log syslogd setting
        set status enable
        set server "192.168.53.2"    set facility user
    end

Configuring FortiSIEM for SNMP and SSH access to FortiGate

You can now configure FortiSIEM to communicate with your device by following the instructions in the User Guide > Section: Configuring FortiSIEM > Discovering Infrastructure > Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics under Discovering Infrastructure.

Configuring FortiAnalyzer to send logs to FortiSIEM

If you are already sending FortiGate logs to FortiAnalyzer, then you can forward those logs to FortiSIEM by configuring FortiAnalyzer as follows:

  1. Login to FortiAnalyzer.
  2. Go to System Settings > Advanced > Syslog Server.
    1. Click the Create New button.
    2. Enter the Name. (It is recommended to use the name of the FortiSIEM server.)
    3. Fill in the IP address (or FQDN) with the IP or a fully qualified name of the FortiSIEM server.
    4. Leave the Syslog Server Port to the default value '514'.
    5. Click OK to save your entries.
  3. Go to System Settings > Dashboard > CLI Console.
  4. Click in the CLI Console and enter the following commands:
    • For FortiAnalyzer versions 5.6 and later:

      config system log-forward

      edit 1

      set mode forwarding

      set fwd-max-delay realtime

      set server-name "FortiSIEM"

      set server-ip "a.b.c.d"

      set fwd-log-source-ip original_ip

      set fwd-server-type syslog

      next

      end

    • For FortiAnalyzer versions earlier than 5.6:

      config system aggregation-client

      edit 1 (or the number for your FortiSIEM syslog entry)

      set fwd-log-source-ip original_ip

      end

Configuring FortiGate to send Netflow via CLI

  1. Connect to the Fortigate firewall over SSH and log in.
  2. To configure your firewall to send Netflow over UDP, enter the following commands:

    config system netflow

    set collector-ip <FortiSIEM IP>

    set collector-port 2055

    end

  3. Enable Netflow on the appropriate interfaces, replacing port1 with your interface name:

    config system interface

    edit port1

    set netflow-sampler both

    end

  4. Optional - Using Netflow with VDOMs
    For VDOM environments, excluding the management VDOM, Netflow must be configured using the following CLI commands:

    con global

    con sys netflow

    set collector-ip <FortiSIEM IP>

    set collector-port 2055

    set source-ip <source-ip>

    end

    end

    con vdom

    edit root (root is an example, change to the required VDOM name.)

    con sys interface

    edit wan1 (change the interface to the one to use.)

    set netflow-sampler both

    end

    end

Configuring FortiGate to send Application names in Netflow via GUI

  1. Login to FortiGate.
  2. Go to Policy & Objects > IPv4 Policy.
  3. Click on the Policy IDs you wish to receive application information from.
  4. Add SSL inspection and App Control on the policy by clicking the + button in the Security Profiles column.

Example of FortiGate Syslog parsed by FortiSIEM

<185>date=2010-04-11 time=20:31:25 devname=APS3012404200944 device_id=APS3012404200944 log_id=0104032002 type=event subtype=admin
pri=alert vd=root user="root" ui=ssh(10.1.20.21) action=login status=failed reason="name_invalid"msg="Administrator root login failed from ssh(10.1.20.21) because of invalid user name"

Fortinet FortiGate Firewall

Fortinet FortiGate Firewall

What is Discovered and Monitored

Protocol

Information Discovered

Metrics collected

Used for

SNMP Host name, Hardware model, Network interfaces, Operating system version Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths).
For 5xxx series firewalls, per CPU utilization (event PH_DEV_MON_FORTINET_PROCESSOR_USGE)
Availability and Performance Monitoring
Telnet/SSH Running configuration Configuration Change Performance Monitoring, Security and Compliance
Syslog Device type All traffic and system logs Availability, Security and Compliance
Netflow Firewall traffic, application detection and application link usage metrics Security monitoring and compliance, Firewall Link Usage and Application monitoring

Event Types

In ADMIN > Device Support > Event, search for "fortigate" in the Name and Description columns to see the event types associated with this device.

Rules

In Resource > Rules, search for "fortigate" in the Name column to see the rules associated with this device.

Reports

Search for Reports under Network device, Firewall and Security groups.

Configuring SNMP on FortiGate

Follow these steps to configure SNMP on FortiGate. For more information on configuring the FortiGate to allow detailed interface monitoring using SNMP, see Data Source in the FortiSIEM User’s Guide.

  1. Log in to your firewall as an administrator.
  2. Go to System > Network.
  3. Select the FortiGate interface IP that FortiSIEM will use to communicate with your device, and then click Edit.
  4. For Administrative Access, makes sure that SSH and SNMP are selected.
  5. Click OK
  6. Go to System > Config > SNMP v1/v2c.
  7. Click Create New to enable the public community.

Configuring SSH on FortiSIEM to communicate with FortiGate

caution icon

FortiSIEM Collector SSH Client, when communicating to FortiGate via SSH, may use the public key authentication method first. This may fail and create some alerts in FortiGate. To prevent this, modify the per user config file as follows:

  1. Log in to the FortiSIEM node that communicates to FortiGate via SSH, as admin.
  2. Open /opt/phoenix/bin/.ssh/config and create a new file, if necessary.
  3. Add these two lines and save:
    PreferredAuthentications password
    PubkeyAuthentication no
  4. Ensure that the owner is admin:
    chown admin.admin /opt/phoenix/bin/.ssh/config
    chmod 600 /opt/phoenix/bin/.ssh/config
  5. Verify using the commands:
    su admin
    ssh -v <fgt host>

    Verification is successful if the following files are found:

Alternatively, modify the global ssh_config file as below. Since this is a global configuration, all programs will use this setting.

  1. Log in to a FortiSIEM node that communicates to FortiGate via SSH, as root.
  2. Open /etc/ssh/ssh_config
  3. Add these two lines:
    PreferredAuthentications password
    PubkeyAuthentication no

These commands are used for discovery and performance monitoring via SSH. Please make sure that the access credentials you provide in FortiSIEM have the permissions necessary to execute these commands on the device.

show firewall address

show full-configuration

Sending Logs Over VPN

If you are sending these logs across a VPN, Fortigate will try to use the WAN interface for the source of all system traffic. You can change this by setting the source-ip option to the IP used on the Fortigates Internal/LAN interface.

With the Web GUI
  1. Log in to your firewall as an administrator.
  2. Go to Log & Report > Log Config > syslog.
  3. Enter the IP Address, Port Number, and Minimum Log Level and Facility for your FortiSIEM virtual appliance.
  4. Make sure that CSV format is not selected.
With the CLI
  1. Connect to the Fortigate firewall over SSH and log in.
  2. To configure your firewall to send syslog over UDP, enter this command, replacing the IP address 192.168.53.2 with the IP address of your FortiSIEM virtual appliance.
    config log syslogd setting
        set status enable
        set server "192.168.53.2"    set facility user
    	set port 514
    end
  3. Verify the settings.
    frontend # show log syslogd setting
    config log syslogd setting
        set status enable
        set server "192.168.53.2"    set facility user
    end

Configuring FortiSIEM for SNMP and SSH access to FortiGate

You can now configure FortiSIEM to communicate with your device by following the instructions in the User Guide > Section: Configuring FortiSIEM > Discovering Infrastructure > Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics under Discovering Infrastructure.

Configuring FortiAnalyzer to send logs to FortiSIEM

If you are already sending FortiGate logs to FortiAnalyzer, then you can forward those logs to FortiSIEM by configuring FortiAnalyzer as follows:

  1. Login to FortiAnalyzer.
  2. Go to System Settings > Advanced > Syslog Server.
    1. Click the Create New button.
    2. Enter the Name. (It is recommended to use the name of the FortiSIEM server.)
    3. Fill in the IP address (or FQDN) with the IP or a fully qualified name of the FortiSIEM server.
    4. Leave the Syslog Server Port to the default value '514'.
    5. Click OK to save your entries.
  3. Go to System Settings > Dashboard > CLI Console.
  4. Click in the CLI Console and enter the following commands:
    • For FortiAnalyzer versions 5.6 and later:

      config system log-forward

      edit 1

      set mode forwarding

      set fwd-max-delay realtime

      set server-name "FortiSIEM"

      set server-ip "a.b.c.d"

      set fwd-log-source-ip original_ip

      set fwd-server-type syslog

      next

      end

    • For FortiAnalyzer versions earlier than 5.6:

      config system aggregation-client

      edit 1 (or the number for your FortiSIEM syslog entry)

      set fwd-log-source-ip original_ip

      end

Configuring FortiGate to send Netflow via CLI

  1. Connect to the Fortigate firewall over SSH and log in.
  2. To configure your firewall to send Netflow over UDP, enter the following commands:

    config system netflow

    set collector-ip <FortiSIEM IP>

    set collector-port 2055

    end

  3. Enable Netflow on the appropriate interfaces, replacing port1 with your interface name:

    config system interface

    edit port1

    set netflow-sampler both

    end

  4. Optional - Using Netflow with VDOMs
    For VDOM environments, excluding the management VDOM, Netflow must be configured using the following CLI commands:

    con global

    con sys netflow

    set collector-ip <FortiSIEM IP>

    set collector-port 2055

    set source-ip <source-ip>

    end

    end

    con vdom

    edit root (root is an example, change to the required VDOM name.)

    con sys interface

    edit wan1 (change the interface to the one to use.)

    set netflow-sampler both

    end

    end

Configuring FortiGate to send Application names in Netflow via GUI

  1. Login to FortiGate.
  2. Go to Policy & Objects > IPv4 Policy.
  3. Click on the Policy IDs you wish to receive application information from.
  4. Add SSL inspection and App Control on the policy by clicking the + button in the Security Profiles column.

Example of FortiGate Syslog parsed by FortiSIEM

<185>date=2010-04-11 time=20:31:25 devname=APS3012404200944 device_id=APS3012404200944 log_id=0104032002 type=event subtype=admin
pri=alert vd=root user="root" ui=ssh(10.1.20.21) action=login status=failed reason="name_invalid"msg="Administrator root login failed from ssh(10.1.20.21) because of invalid user name"