Fortinet black logo

External Systems Configuration Guide

Fortinet FortiAnalyzer

Fortinet FortiAnalyzer

Overview

Customers of both FortiAnalyzer and FortiSIEM may want to take already aggregated event data received on FortiAnalzyer and forward those events to FortiSIEM.

Configuring FortiAnalyzer

Setting Up the Syslog Server
  1. Login to FortiAnalyzer.
  2. Go to System Settings > Advanced > Syslog Server.
    1. Click the Create New button.
    2. Enter the Name. (It is recommended to use the name of the FortiSIEM server.)
    3. Fill in the IP address (or FQDN) with the IP or a fully qualified name of the FortiSIEM server.
    4. Leave the Syslog Server Port to the default value '514'.
    5. Click OK to save your entries.
Pre-Configuration for Log Forwarding

To configure FortiAnalyzer event forwarding to FortiSIEM, you must first set up the following.

  1. 1. Install a FortiSIEM collector in the same subnet as FortiAnalyzer that will be forwarding the events.
    Note: The same subnet request is required as FortiAnalyzer will later be configured to spoof packets to the collector. RPF (reverse path forwarding checks) on network equipment would have to be disabled if FortiAnalyzer and collector existed on different subnets.

  2. 2. It is recommended that for every 5,000 EPS (events per second) ingested, you add 1 collector that is 8vCPU, 8GB RAM. If you have more than 5,000 EPS forwarding from FortiAnalyzer, please set up a load balancer with multiple collectors behind it, allowing UDP 514 inbound.

Configuring Log Forwarding

Take the following steps to configure log forwarding on FortiAnalyzer.

  1. Go to System Settings > Log Forwarding.

  2. Click the Create New button in the toolbar. The Create New Log Forwarding pane opens.

  3. fill in the information as per the below table, then click OK to create the new log forwarding. The FortiAnalyzer device will start forwarding logs to the server.

    Field Input
    Name FortiSIEM-Forwarding
    Status On
    Remote Server Type Syslog
    Compression OFF
    Sending Frequency Real-time

    Log Forwarding Filters

    Select all desired Administrative Domains (ADOMs) / device logs you’d like to forward

  4. Go to the CLI Console and configure the CLI only log forward option by running the following CLI commands.
    Notes:

    • Logs received by FortiAnalyzer, and then forwarded to FortiSIEM, have the source IP of the log packet overwritten with the IP address of the FortiAnalyzer appliance. This hides the “true” source of the log packet from FortiSIEM. To override this behavior, FortiAnalyzer can spoof the original log sender's IP address when forwarding to FortiSIEM. This allows FortiSIEM collectors to receive all the original information as if it received the logs directly from the originating device.

    • For FortiAnalyzer versions 6.0 and later, use the following CLI:
      Note: Replace <id> with the actual name of the log forward created earlier.

      config system log-forward
          edit <id>
              set mode forwarding
              set fwd-max-delay realtime
              set server-name "<FSM_Collector>"   
              set server-ip "a.b.c.d"
              set fwd-log-source-ip original_ip
              set fwd-server-type syslog
          next
      end
    • For FortiAnalyzer versions 5.6 to 5.9, use the following CLI:
      Note: Replace <id> with the actual name of the log forward created earlier.

      config system log-forward
        edit <id>
         set mode forwarding
         set fwd-max-delay realtime
         set server-ip "a.b.c.d"
         set fwd-log-source-ip original_ip
         set fwd-server-type syslog
       next
      end
    • For FortiAnalyzer versions earlier than 5.6, use the following CLI:
      Note: For <id>, you can choose the number for your FortiSIEM syslog entry.

      config system aggregation-client
        edit <id> 
          set fwd-log-source-ip original_ip
      end

Configuring FortiSIEM Collector to Receive Logs from FortiAnalyzer

To configure the FortiSIEM collector to receive logs from FortiAnalyzer, you will need to disable RPF checks that would normally cause the collector virtual machine from dropping the log packet as it is spoofed.

sysctl -w net.ipv4.conf.all.rp_filter=0

To make this change persistent across reboots, add the following code to the /etc/sysctl.conf file.

net.ipv4.conf.all.rp_filter=0

Fortinet FortiAnalyzer

Overview

Customers of both FortiAnalyzer and FortiSIEM may want to take already aggregated event data received on FortiAnalzyer and forward those events to FortiSIEM.

Configuring FortiAnalyzer

Setting Up the Syslog Server
  1. Login to FortiAnalyzer.
  2. Go to System Settings > Advanced > Syslog Server.
    1. Click the Create New button.
    2. Enter the Name. (It is recommended to use the name of the FortiSIEM server.)
    3. Fill in the IP address (or FQDN) with the IP or a fully qualified name of the FortiSIEM server.
    4. Leave the Syslog Server Port to the default value '514'.
    5. Click OK to save your entries.
Pre-Configuration for Log Forwarding

To configure FortiAnalyzer event forwarding to FortiSIEM, you must first set up the following.

  1. 1. Install a FortiSIEM collector in the same subnet as FortiAnalyzer that will be forwarding the events.
    Note: The same subnet request is required as FortiAnalyzer will later be configured to spoof packets to the collector. RPF (reverse path forwarding checks) on network equipment would have to be disabled if FortiAnalyzer and collector existed on different subnets.

  2. 2. It is recommended that for every 5,000 EPS (events per second) ingested, you add 1 collector that is 8vCPU, 8GB RAM. If you have more than 5,000 EPS forwarding from FortiAnalyzer, please set up a load balancer with multiple collectors behind it, allowing UDP 514 inbound.

Configuring Log Forwarding

Take the following steps to configure log forwarding on FortiAnalyzer.

  1. Go to System Settings > Log Forwarding.

  2. Click the Create New button in the toolbar. The Create New Log Forwarding pane opens.

  3. fill in the information as per the below table, then click OK to create the new log forwarding. The FortiAnalyzer device will start forwarding logs to the server.

    Field Input
    Name FortiSIEM-Forwarding
    Status On
    Remote Server Type Syslog
    Compression OFF
    Sending Frequency Real-time

    Log Forwarding Filters

    Select all desired Administrative Domains (ADOMs) / device logs you’d like to forward

  4. Go to the CLI Console and configure the CLI only log forward option by running the following CLI commands.
    Notes:

    • Logs received by FortiAnalyzer, and then forwarded to FortiSIEM, have the source IP of the log packet overwritten with the IP address of the FortiAnalyzer appliance. This hides the “true” source of the log packet from FortiSIEM. To override this behavior, FortiAnalyzer can spoof the original log sender's IP address when forwarding to FortiSIEM. This allows FortiSIEM collectors to receive all the original information as if it received the logs directly from the originating device.

    • For FortiAnalyzer versions 6.0 and later, use the following CLI:
      Note: Replace <id> with the actual name of the log forward created earlier.

      config system log-forward
          edit <id>
              set mode forwarding
              set fwd-max-delay realtime
              set server-name "<FSM_Collector>"   
              set server-ip "a.b.c.d"
              set fwd-log-source-ip original_ip
              set fwd-server-type syslog
          next
      end
    • For FortiAnalyzer versions 5.6 to 5.9, use the following CLI:
      Note: Replace <id> with the actual name of the log forward created earlier.

      config system log-forward
        edit <id>
         set mode forwarding
         set fwd-max-delay realtime
         set server-ip "a.b.c.d"
         set fwd-log-source-ip original_ip
         set fwd-server-type syslog
       next
      end
    • For FortiAnalyzer versions earlier than 5.6, use the following CLI:
      Note: For <id>, you can choose the number for your FortiSIEM syslog entry.

      config system aggregation-client
        edit <id> 
          set fwd-log-source-ip original_ip
      end

Configuring FortiSIEM Collector to Receive Logs from FortiAnalyzer

To configure the FortiSIEM collector to receive logs from FortiAnalyzer, you will need to disable RPF checks that would normally cause the collector virtual machine from dropping the log packet as it is spoofed.

sysctl -w net.ipv4.conf.all.rp_filter=0

To make this change persistent across reboots, add the following code to the /etc/sysctl.conf file.

net.ipv4.conf.all.rp_filter=0