Fortinet black logo

External Systems Configuration Guide

Palo Alto Cortex XDR

Palo Alto Cortex XDR

Event Types

In ADMIN > Device Support > Event Types, search for "cortexXDR" to see the event types associated with this device. In FortiSIEM 6.3.0, there are 9 event types for Cortex XDR.

Rules

In RESOURCES > Rules, search for "cortex" in the main content panel Search... field.

Reports

No specific reports are available for Palo Alto Cortex XDR.

Configuration

For the latest Palo Alto Cortex XDR documentation, see https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/logs/integrate-a-syslog-receiver-for-outbound-notifications.html.

Public or Self Signed Certificate Configuration

Fortinet recommends configuring Syslog over TLS for Cortex XDR.

You can generate either a public certificate or a self signed certificate.

Prerequisites

  • Ensure you have a collector that is publicly exposed (has a public IP with port TCP 6514 open).

  • Be sure to specify a valid FQDN when registering the collector, and make sure a public DNS A record exists for it.

  • Add a whitelist to restrict all traffic only from these destinations based on your region listed in the documentation here.

Public Certificate Generation and Application Configuration

Take the following steps:

  1. Generate a SSL/TLS certificate using a public certificate. A public certificate can be signed by a public certificate authority (CA) such as DigiCert, or GoDaddy.

  2. Run the following command on your collector to generate a CSR (Certificate Signing Request)

    cd /tmp

    openssl req -new -newkey rsa:4096 -nodes -keyout /etc/pki/tls/private/tls-collector1.key -out tls-collector1.csr

  3. Take the following actions when prompted.

    1. When Prompted for Country Name, enter your Country Abbreviation. For example, the United States is "US".

    2. Enter your State or Province. For example, California would be "CA".

    3. Enter your Locality. For example, a city would be "Sunnyvale".

    4. Enter your desired org name. For example, "Fortinet".

    5. Enter Unit Name, which is optional. For example, "IT".

    6. Enter Common Name. It must match the FQDN of collector. For example, "collector1.myorg.fortinet.com".

    7. Email Address. This can be left blank. Hit "enter" to continue.

    8. If prompted for a challenge password, hit "enter" to leave blank and continue.

    9. Hit enter again to confirm.
      A Certificate Signing Request is created in /tmp/tls-collector1.csr.

  4. Using WinScp or another SCP utility, download this CSR file to your desktop.

  5. Go to your preferred public CA, and upload this CSR when prompted to generate a new SSL certificate file.

    When you have your new Certificate ZIP file, it will normally contain 2-3 files.

  6. WinSCP zip file to /tmp of the Collector.

  7. Unzip the file if needed, by using the following command.

    unzip <filename>.zip

    The .crt file is your certificate, and is usually a concatenation of all chain certificates.

  8. Rename the cert files if needed using similar commands here.

    cd /tmp

    mv 11111111.crt tls-collector1.crt

  9. Copy the cert to the correct folder using the following command.

    cp tls-collector1.crt /etc/pki/tls/certs/tls-collector1.crt

  10. Set permissions using the following command.
    chmod 644 /etc/pki/tls/certs/tls-collector1.crt

    chmod 640 /etc/pki/tls/private/tls-collector1.key

    chown root:admin /etc/pki/tls/private/tls-collector1.key

  11. On the Collector, update the /opt/phoenix/config/phoenix_config.txt file to reference the new tls cert using the following command.
    vi /opt/phoenix/config/phoenix_config.txt

  12. Locate the following lines in your phoenix_config.txt file.
    listen_tls_port_list=6514

    tls_certificate_file=/etc/pki/tls/certs/localhost.crt

    tls_key_file=/etc/pki/tls/private/localhost.key

    and replace the cert and key file with the following:

    listen_tls_port_list=6514

    tls_certificate_file=/etc/pki/tls/certs/tls-collector1.crt

    tls_key_file=/etc/pki/tls/private/tls-collector1.key

  13. Save the file, and as root, restart phParser using the following command.

    killall -9 phParser

  14. Define the Syslog server parameters (See step 4 in Integrate a Syslog Receiver for more information).

    • Name: FortiSIEM_Public_Collector

    • Destination: Pulbic IP or FQDN of FortiSIEM Collector

    • Port: 6514

    • Facility: Informational, or Default Value

    • Protocol: TCP + SSL/TLS

    • Certificate: You do not need to upload as it is a public signed SSL certificate.

  15. Click Create.

Self Signed Certificate Generation and Application Configuration

Take the following steps:

  1. On the Collector, run the following commands as root.

    cd /tmp

    openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -keyout /etc/pki/tls/private/tls-collector1.key -out /etc/pki/tls/certs/tls-collector1.crt

  2. Take the following actions when prompted.

    1. When Prompted for Country Name, enter your Country Abbreviation. For example, the United States is "US".

    2. Enter your State or Province. For example, California would be "CA".

    3. Enter your Locality. For example, a city would be "Sunnyvale".

    4. Enter your desired org name. For example, "Fortinet".

    5. Enter Unit Name, which is optional. For example, "IT".

    6. Enter Common Name. It must match the FQDN of collector. For example, "collector1.myorg.fortinet.com".

    7. Email Address. This can be left blank. Hit "enter" to continue.

    8. If prompted for a challenge password, hit "enter" to leave blank and continue.

    9. Hit enter again to confirm.

  3. Set the appropriate permissions for the private key and certificate generated, by running the following commands.

    chmod 640 /etc/pki/tls/private/tls-collector1.key

    chown root:admin /etc/pki/tls/private/tls-collector1.key

    chmod 644 /etc/pki/tls/certs/tls-collector1.crt

  4. On the collector, update the /opt/phoenix/config/phoenix_config.txt file to reference the new tls certificate by editing the file, running the following command.

    vi /opt/phoenix/config/phoenix_config.txt

  5. Find the following lines in the file.

    listen_tls_port_list=6514

    tls_certificate_file=/etc/pki/tls/certs/localhost.crt

    tls_key_file=/etc/pki/tls/private/localhost.key

    and replace the cert and key file with the following:

    listen_tls_port_list=6514

    tls_certificate_file=/etc/pki/tls/certs/tls-collector1.crt

    tls_key_file=/etc/pki/tls/private/tls-collector1.key

  6. Save the file, and as root, restart phParser using the following command.

    killall -9 phParser

  7. Make a copy of the certificate file to /tmp, and using WinSCP or another SCP utility, download the Collector Certificate file. For example, you may run the following command.

    cp /etc/pki/tls/certs/tls-collector1.crt /tmp

  8. Download /tmp/tls-collector1.crt to your desktop.

    Note: You only need the Certificate file and not the private key. The private key will never leave the collector.

  9. Define the Syslog server parameters (See step 4 in Integrate a Syslog Receiver for more information).

    • Name: FortiSIEM_Public_Collector

    • Destination: Pulbic IP or FQDN of FortiSIEM Collector

    • Port: 6514

    • Facility: Informational, or Default Value

    • Protocol: TCP + SSL/TLS

    • Certificate: You do not need to upload as it is a public signed SSL certifcate.

    • Select Ignore Certificate Error.

  10. Click Create.


Palo Alto Cortex XDR

Event Types

In ADMIN > Device Support > Event Types, search for "cortexXDR" to see the event types associated with this device. In FortiSIEM 6.3.0, there are 9 event types for Cortex XDR.

Rules

In RESOURCES > Rules, search for "cortex" in the main content panel Search... field.

Reports

No specific reports are available for Palo Alto Cortex XDR.

Configuration

For the latest Palo Alto Cortex XDR documentation, see https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/logs/integrate-a-syslog-receiver-for-outbound-notifications.html.

Public or Self Signed Certificate Configuration

Fortinet recommends configuring Syslog over TLS for Cortex XDR.

You can generate either a public certificate or a self signed certificate.

Prerequisites

  • Ensure you have a collector that is publicly exposed (has a public IP with port TCP 6514 open).

  • Be sure to specify a valid FQDN when registering the collector, and make sure a public DNS A record exists for it.

  • Add a whitelist to restrict all traffic only from these destinations based on your region listed in the documentation here.

Public Certificate Generation and Application Configuration

Take the following steps:

  1. Generate a SSL/TLS certificate using a public certificate. A public certificate can be signed by a public certificate authority (CA) such as DigiCert, or GoDaddy.

  2. Run the following command on your collector to generate a CSR (Certificate Signing Request)

    cd /tmp

    openssl req -new -newkey rsa:4096 -nodes -keyout /etc/pki/tls/private/tls-collector1.key -out tls-collector1.csr

  3. Take the following actions when prompted.

    1. When Prompted for Country Name, enter your Country Abbreviation. For example, the United States is "US".

    2. Enter your State or Province. For example, California would be "CA".

    3. Enter your Locality. For example, a city would be "Sunnyvale".

    4. Enter your desired org name. For example, "Fortinet".

    5. Enter Unit Name, which is optional. For example, "IT".

    6. Enter Common Name. It must match the FQDN of collector. For example, "collector1.myorg.fortinet.com".

    7. Email Address. This can be left blank. Hit "enter" to continue.

    8. If prompted for a challenge password, hit "enter" to leave blank and continue.

    9. Hit enter again to confirm.
      A Certificate Signing Request is created in /tmp/tls-collector1.csr.

  4. Using WinScp or another SCP utility, download this CSR file to your desktop.

  5. Go to your preferred public CA, and upload this CSR when prompted to generate a new SSL certificate file.

    When you have your new Certificate ZIP file, it will normally contain 2-3 files.

  6. WinSCP zip file to /tmp of the Collector.

  7. Unzip the file if needed, by using the following command.

    unzip <filename>.zip

    The .crt file is your certificate, and is usually a concatenation of all chain certificates.

  8. Rename the cert files if needed using similar commands here.

    cd /tmp

    mv 11111111.crt tls-collector1.crt

  9. Copy the cert to the correct folder using the following command.

    cp tls-collector1.crt /etc/pki/tls/certs/tls-collector1.crt

  10. Set permissions using the following command.
    chmod 644 /etc/pki/tls/certs/tls-collector1.crt

    chmod 640 /etc/pki/tls/private/tls-collector1.key

    chown root:admin /etc/pki/tls/private/tls-collector1.key

  11. On the Collector, update the /opt/phoenix/config/phoenix_config.txt file to reference the new tls cert using the following command.
    vi /opt/phoenix/config/phoenix_config.txt

  12. Locate the following lines in your phoenix_config.txt file.
    listen_tls_port_list=6514

    tls_certificate_file=/etc/pki/tls/certs/localhost.crt

    tls_key_file=/etc/pki/tls/private/localhost.key

    and replace the cert and key file with the following:

    listen_tls_port_list=6514

    tls_certificate_file=/etc/pki/tls/certs/tls-collector1.crt

    tls_key_file=/etc/pki/tls/private/tls-collector1.key

  13. Save the file, and as root, restart phParser using the following command.

    killall -9 phParser

  14. Define the Syslog server parameters (See step 4 in Integrate a Syslog Receiver for more information).

    • Name: FortiSIEM_Public_Collector

    • Destination: Pulbic IP or FQDN of FortiSIEM Collector

    • Port: 6514

    • Facility: Informational, or Default Value

    • Protocol: TCP + SSL/TLS

    • Certificate: You do not need to upload as it is a public signed SSL certificate.

  15. Click Create.

Self Signed Certificate Generation and Application Configuration

Take the following steps:

  1. On the Collector, run the following commands as root.

    cd /tmp

    openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -keyout /etc/pki/tls/private/tls-collector1.key -out /etc/pki/tls/certs/tls-collector1.crt

  2. Take the following actions when prompted.

    1. When Prompted for Country Name, enter your Country Abbreviation. For example, the United States is "US".

    2. Enter your State or Province. For example, California would be "CA".

    3. Enter your Locality. For example, a city would be "Sunnyvale".

    4. Enter your desired org name. For example, "Fortinet".

    5. Enter Unit Name, which is optional. For example, "IT".

    6. Enter Common Name. It must match the FQDN of collector. For example, "collector1.myorg.fortinet.com".

    7. Email Address. This can be left blank. Hit "enter" to continue.

    8. If prompted for a challenge password, hit "enter" to leave blank and continue.

    9. Hit enter again to confirm.

  3. Set the appropriate permissions for the private key and certificate generated, by running the following commands.

    chmod 640 /etc/pki/tls/private/tls-collector1.key

    chown root:admin /etc/pki/tls/private/tls-collector1.key

    chmod 644 /etc/pki/tls/certs/tls-collector1.crt

  4. On the collector, update the /opt/phoenix/config/phoenix_config.txt file to reference the new tls certificate by editing the file, running the following command.

    vi /opt/phoenix/config/phoenix_config.txt

  5. Find the following lines in the file.

    listen_tls_port_list=6514

    tls_certificate_file=/etc/pki/tls/certs/localhost.crt

    tls_key_file=/etc/pki/tls/private/localhost.key

    and replace the cert and key file with the following:

    listen_tls_port_list=6514

    tls_certificate_file=/etc/pki/tls/certs/tls-collector1.crt

    tls_key_file=/etc/pki/tls/private/tls-collector1.key

  6. Save the file, and as root, restart phParser using the following command.

    killall -9 phParser

  7. Make a copy of the certificate file to /tmp, and using WinSCP or another SCP utility, download the Collector Certificate file. For example, you may run the following command.

    cp /etc/pki/tls/certs/tls-collector1.crt /tmp

  8. Download /tmp/tls-collector1.crt to your desktop.

    Note: You only need the Certificate file and not the private key. The private key will never leave the collector.

  9. Define the Syslog server parameters (See step 4 in Integrate a Syslog Receiver for more information).

    • Name: FortiSIEM_Public_Collector

    • Destination: Pulbic IP or FQDN of FortiSIEM Collector

    • Port: 6514

    • Facility: Informational, or Default Value

    • Protocol: TCP + SSL/TLS

    • Certificate: You do not need to upload as it is a public signed SSL certifcate.

    • Select Ignore Certificate Error.

  10. Click Create.