Fortinet white logo
Fortinet white logo

External Systems Configuration Guide

Fortinet FortiGate Firewall

Fortinet FortiGate Firewall

What is Discovered and Monitored

Protocol

Information Discovered

Metrics collected

Used for

REST API

Host name, Model, Version, Interfaces, Serial Number, FortiAP and FortiSwitch managed by FortiGate.

Uptime, CPU, Memory and Disk utilization, Network Interface metrics, VPN metrics, Firewall Connection metrics

Performance and Availability Monitoring

SNMP Host name, Hardware model, Network interfaces, Operating system version Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths).
For 5xxx series firewalls, per CPU utilization (event PH_DEV_MON_FORTINET_PROCESSOR_USGE)
Availability and Performance Monitoring
Telnet/SSH Running configuration Configuration Change Performance Monitoring, Security and Compliance
Syslog Device type All traffic and system logs Availability, Security and Compliance
Netflow Firewall traffic, application detection and application link usage metrics Security monitoring and compliance, Firewall Link Usage and Application monitoring

Event Types

In ADMIN > Device Support > Event Types, search for "fortigate" to see the event types associated with this device.

Rules

In RESOURCES > Rules, search for "fortigate" in the main content panel Search... field to see the rules associated with this device.

Reports

In RESOURCES > Reports, search for "fortigate" in the main content panel Search... field to see the reports associated with this device.

Configuring FortiSIEM through FortiOS REST API

Take the following steps to configure FortiGate for FortiSIEM via the FortiOS REST API.
Note: When upgrading FortiOS, make sure to re-generate the API token in FortiGate and update the FortiSIEM Access Credentials information.

Setup of FortiGate

As an administrator with the super_admin profile, login to the FortiGate GUI and take the following steps:

Step 1: Identify your Source Address

First, identify your source IP address. The source address is needed to ensure the API token can only be used from trusted hosts. If you already know your trusted host IP address, skip to Step 2.

  1. On the FortiGate GUI, select the Status dashboard and locate the Administrators widget.
  2. Navigate to <your-userid> > Show active administrator sessions.
  3. Copy the Source Address for your <your-userid>. This information will be needed to create the Trusted Host in Step 3: Create the REST API Admin.
Step 2: Create an Administrator Profile
  1. On the FortiGate GUI, navigate to System > Admin Profiles > Create New.
  2. For Network, System, and WiFi & Switch fields, enable Read permission.

  3. Click OK.
Step 3: Create the REST API Admin
  1. On the FortiGate GUI, navigate to System > Administrators > Create New > REST API Admin.
  2. On the New REST API Admin dialog, enter the following information.
    1. In the Username field, enter a user name.
    2. (Optional) In the Comments field, enter any additional information about this account.
    3. In the Administrator Profile drop-down list, select the profile from Step 2.
    4. Disable PKI Group.
    5. Enable CORS Allow Origin, and input https://fndn.fortinet.net.
    6. In the Trusted Hosts field, enter a trusted host based off your source address. The Trusted Host must be specified to ensure that your local host can reach FortiGate. For example, to restrict requests as coming from only 10.20.100.99, enter "10.20.100.99/32". The Trusted Host is created from the Source Address obtained in Step 1: Identify your Source Address.
    7. Click OK and an API token will be generated. Copy the API token information as it is only shown once and cannot be retrieved. It will be needed for the Setup in FortiSIEM configuration.
    8. Click Close to complete the creation of the REST API Admin.
Setup in FortiSIEM

FortiSIEM can process events from FortiGate via the FortiOS REST API. Obtain your token from FortiGate (see Setup in FortiGate) before proceeding.

Complete these steps in the FortiSIEM UI:

  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials:
    1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box:

      SettingsDescription
      NameEnter a name for the credential.
      Device TypeFortinet FortiOS
      Access ProtocolFORTIOS_REST_API
      Password configManual
      TokenInput the API token from Step 3: Create the REST API Admin in Setup of FortiGate.
      Confirm TokenInput the same API token as above for verification.
      DescriptionDescription about the device
  3. In Step 2: Enter IP Range to Credential Associations, click New.
    1. Enter the FortiGate IP address or IP range in the IP/Host Name field.
    2. Select the name of your credential from the Credentials drop-down list.
    3. Click Save.
  4. Click the Test drop-down list and select Test Connectivity to test the connection to FortiGate.
  5. Navigate to ADMIN > Setup > Discover > New.
  6. In the Discovery Definition window, take the following steps:
    1. In the Name field, enter a name for this device.
    2. In the Discovery Type drop-down list, select Range Scan.
    3. In the Include field, enter the FortiGate IP address.
    4. Click Save.
  7. Navigate to ADMIN > Setup > Discovery > Discover. Your devices will be added into CMDB and 3 jobs are added in Monitor Performance.


When configuration is complete, you can do the following.

To view your devices, go to CMDB > Devices.

To see metrics for your devices, go to ADMIN > Setup > Monitor Performance.

To see received events, select ANALYTICS, then enter "PH_DEV_MON_FORTI" in the search box.

Configuring SNMP v1 or v2 on FortiGate

Follow these steps to configure SNMPv1 or v2 on FortiGate. For more information on configuring the FortiGate to allow detailed interface monitoring using SNMP, see Data Source in the FortiSIEM User’s Guide.

  1. Log in to your firewall as an administrator.
  2. Go to System > Network.
  3. Select the FortiGate interface IP that FortiSIEM will use to communicate with your device, and then click Edit.
  4. For Administrative Access, makes sure that SSH and SNMP are selected.
  5. Click OK.
  6. Go to System > Config > SNMP v1/v2c.
  7. Click Create New to enable the public community.

Configuring SNMP v3 on FortiGate

To configure SNMPv3 on a FortiGate Firewall and integrate it with FortiSIEM, take the following steps:

Setup for FortiGate
  1. Allow SNMP traffic on inbound interface where FortiSIEM collector will reach FortiGate firewall.

  2. Run the show command under the interface, then run "set allowaccess option1 option2 snmp", replacing the options with the preexisting values, adding snmp to the end.

    The following example has the FortiSIEM collector polling inbound on interface port 1.

    config system interface
    edit "port1"
     show
     set allowaccess snmp
    end
    config system snmp sysinfo
     set status enable
     set description "Description of device"
     set contact-info "Optional contact info"
     set location "Optional location info"
    end
  3. Replace the sha and aes passwords with your own, and for notify-hosts, enter the IP address of your FortiSIEM collector that will be polling the FortiGate unit.

    config system snmp user
    edit "fortisiem_user"
     set status enable
     set queries enable
     set security-level auth-priv
     set auth-proto sha
     set auth-pwd "yourShaPassword1"
     set priv-proto aes
     set priv-pwd "yourAesPassword1"
     set notify-hosts "192.168.1.2"
     next
    end
Setup in FortiSIEM

Complete these steps in the FortiSIEM UI:

  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials, click New to create a new credential.
    1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box:

      SettingsDescription
      NameEnter a name for the credential.
      Device TypeGeneric
      Access ProtocolSNMP v3
      Security LevelauthPriv
      Security Namefortisiem_user or <your SNMPv3 username here>
      Auth ProtocolSHA

      Auth Password

      <your password>

      Priv Protocol

      AES

      Priv Password

      <your password>

      Context

      You can leave this field blank.

      DescriptionOptional, you can explain which devices this credential is used for.
  3. In Step 2: Enter IP Range to Credential Associations, click New to create a new mapping.
    Note: If multiple collectors, use the collector drop-down list to select which collector will do the polling. If you have only 1 collector, no drop-down list will appear.
    1. Enter a host name, an IP, or an IP range in the IP/Host Name field. You can add multiple IPs by using a comma as a separator, for example:
      192.168.1.1,192.168.2.1,192.168.3.1
    2. Select the name of your credential from the Credentials drop-down list.
    3. Click Save.

  4. Click the Test drop-down list and select Test Connectivity without Ping to test the connection. If it fails, ensure the firewall is configured correctly, that SNMP is allowed from the collector on UDP 161, and that the correct SNMPv3 user and password is being used.
  5. Click the Discovery tab. If there is more than one collector, select from the drop-down list the collector you'd like to do the polling.
  6. In the include list, enter the same comma separated IP list as before.

  7. Optionally, you can disable ICMP alive check by selecting Options > Do not ping before discovery.

  8. Click Save.

  9. Select the new discovery, and click Discover. Wait for it to finish, or click run in background.

  10. Click the CMDB tab, and confirm that the devices are discovered via SNMP.

Configuring SSH on FortiSIEM to communicate with FortiGate

caution icon

FortiSIEM Collector SSH Client, when communicating to FortiGate via SSH, may use the public key authentication method first. This may fail and create some alerts in FortiGate. To prevent this, modify the per user config file as follows:

  1. Log in to the FortiSIEM node that communicates to FortiGate via SSH, as admin.
  2. Open /opt/phoenix/bin/.ssh/config and create a new file, if necessary.
  3. Add these two lines and save:
    PreferredAuthentications password
    PubkeyAuthentication no
  4. Ensure that the owner is admin:
    chown admin.admin /opt/phoenix/bin/.ssh/config
    chmod 600 /opt/phoenix/bin/.ssh/config
  5. Verify using the commands:
    su admin
    ssh -v <fgt host>

    Verification is successful if the following files are found:

Alternatively, modify the global ssh_config file as below. Since this is a global configuration, all programs will use this setting.

  1. Log in to a FortiSIEM node that communicates to FortiGate via SSH, as root.
  2. Open /etc/ssh/ssh_config
  3. Add these two lines:
    PreferredAuthentications password
    PubkeyAuthentication no

These commands are used for discovery and performance monitoring via SSH. Please make sure that the access credentials you provide in FortiSIEM have the permissions necessary to execute these commands on the device.

show firewall address

show full-configuration

Sending Logs Over VPN

If you are sending these logs across a VPN, Fortigate will try to use the WAN interface for the source of all system traffic. You can change this by setting the source-ip option to the IP used on the Fortigates Internal/LAN interface.

With the Web GUI
  1. Log in to your firewall as an administrator.
  2. Go to Log & Report > Log Config > syslog.
  3. Enter the IP Address, Port Number, and Minimum Log Level and Facility for your FortiSIEM virtual appliance.
  4. Make sure that CSV format is not selected.
With the CLI
  1. Connect to the Fortigate firewall over SSH and log in.
  2. To configure your firewall to send syslog over UDP, enter this command, replacing the IP address 192.168.53.2 with the IP address of your FortiSIEM virtual appliance.
    config log syslogd setting
        set status enable
        set server "192.168.53.2"    
    set facility user set port 514 end
  3. Verify the settings.
    frontend # show log syslogd setting
    config log syslogd setting
        set status enable
        set server "192.168.53.2"    
    set facility user end

Configuring FortiSIEM for SNMP and SSH access to FortiGate

You can now configure FortiSIEM to communicate with your device by following the instructions in the User Guide > Section: Configuring FortiSIEM > Discovering Infrastructure > Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics under Discovering Infrastructure.

Configuring FortiAnalyzer to send logs to FortiSIEM

If you are already sending FortiGate logs to FortiAnalyzer, then you can forward those logs to FortiSIEM by configuring FortiAnalyzer as follows:

Setting Up the Syslog Server
  1. Login to FortiAnalyzer.
  2. Go to System Settings > Advanced > Syslog Server.
    1. Click the Create New button.
    2. Enter the Name. (It is recommended to use the name of the FortiSIEM server.)
    3. Fill in the IP address (or FQDN) with the IP or a fully qualified name of the FortiSIEM server.
    4. Leave the Syslog Server Port to the default value '514'.
    5. Click OK to save your entries.
Pre-Configuration for Log Forwarding

To configure FortiAnalyzer event forwarding to FortiSIEM, you must first set up the following.

  1. 1. Install a FortiSIEM collector in the same subnet as FortiAnalyzer that will be forwarding the events.
    Note: The same subnet request is required as FortiAnalyzer will later be configured to spoof packets to the collector. RPF (reverse path forwarding checks) on network equipment would have to be disabled if FortiAnalyzer and collector existed on different subnets.

  2. 2. It is recommended that for every 5,000 EPS (events per second) ingested, you add 1 collector that is 8vCPU, 8GB RAM. If you have more than 5,000 EPS forwarding from FortiAnalyzer, please set up a load balancer with multiple collectors behind it, allowing UDP 514 inbound.

Configuring Log Forwarding

Take the following steps to configure log forwarding on FortiAnalyzer.

  1. Go to System Settings > Log Forwarding.

  2. Click the Create New button in the toolbar. The Create New Log Forwarding pane opens.

  3. fill in the information as per the below table, then click OK to create the new log forwarding. The FortiAnalyzer device will start forwarding logs to the server.

    Field Input
    Name FortiSIEM-Forwarding
    Status On
    Remote Server Type Syslog
    Compression OFF
    Sending Frequency Real-time

    Log Forwarding Filters

    Select all desired Administrative Domains (ADOMs) / device logs you’d like to forward

  4. Go to the CLI Console and configure the CLI only log forward option by running the following CLI commands.
    Notes:

    • Logs received by FortiAnalyzer, and then forwarded to FortiSIEM, have the source IP of the log packet overwritten with the IP address of the FortiAnalyzer appliance. This hides the “true” source of the log packet from FortiSIEM. To override this behavior, FortiAnalyzer can spoof the original log sender's IP address when forwarding to FortiSIEM. This allows FortiSIEM collectors to receive all the original information as if it received the logs directly from the originating device.

    • For FortiAnalyzer versions 6.0 and later, use the following CLI:
      Notes:

      Replace <id> with the actual name of the log forward created earlier.

      You can run "set server-name..." or "set server-ip...". Fortinet recommends using set server-ip "a.b.c.d", so you do not require name resolution of the Collector.

      config system log-forward
          edit <id>
              set mode forwarding
              set fwd-max-delay realtime
              set server-name "<FSM_Collector>"   
              set server-ip "a.b.c.d"
              set fwd-log-source-ip original_ip
              set fwd-server-type syslog
          next
      end
    • For FortiAnalyzer versions 5.6 to 5.9, use the following CLI:
      Note: Replace <id> with the actual name of the log forward created earlier.

      config system log-forward
        edit <id>
         set mode forwarding
         set fwd-max-delay realtime
         set server-ip "a.b.c.d"
         set fwd-log-source-ip original_ip
         set fwd-server-type syslog
       next
      end
    • For FortiAnalyzer versions earlier than 5.6, use the following CLI:
      Note: For <id>, you can choose the number for your FortiSIEM syslog entry.

      config system aggregation-client
        edit <id> 
          set fwd-log-source-ip original_ip
      end
    Configuring FortiSIEM Collector to Receive Logs from FortiAnalyzer

    To configure the FortiSIEM collector to receive logs from FortiAnalyzer, you will need to disable RPF checks that would normally cause the collector virtual machine from dropping the log packet as it is spoofed.

    sysctl -w net.ipv4.conf.all.rp_filter=0

    To make this change persistent across reboots, add the following code to the /etc/sysctl.conf file.

    net.ipv4.conf.all.rp_filter=0

Configuring FortiGate to send Netflow via CLI

  1. Connect to the Fortigate firewall over SSH and log in.
  2. To configure your firewall to send Netflow over UDP, enter the following commands:

    config system netflow

    set collector-ip <FortiSIEM IP>

    set collector-port 2055

    end

  3. Enable Netflow on the appropriate interfaces, replacing port1 with your interface name:

    config system interface

    edit port1

    set netflow-sampler both

    end

  4. Optional - Using Netflow with VDOMs
    For VDOM environments, excluding the management VDOM, Netflow must be configured using the following CLI commands:

    con global

    con sys netflow

    set collector-ip <FortiSIEM IP>

    set collector-port 2055

    set source-ip <source-ip>

    end

    end

    con vdom

    edit root (root is an example, change to the required VDOM name.)

    con sys interface

    edit wan1 (change the interface to the one to use.)

    set netflow-sampler both

    end

    end

Configuring FortiGate to send Application names in Netflow via GUI

  1. Login to FortiGate.
  2. Go to Policy & Objects > IPv4 Policy.
  3. Click on the Policy IDs you wish to receive application information from.
  4. Add SSL inspection and App Control on the policy by clicking the + button in the Security Profiles column.

Example of FortiGate Syslog parsed by FortiSIEM

<185>date=2010-04-11 time=20:31:25 devname=APS3012404200944 device_id=APS3012404200944 log_id=0104032002 type=event subtype=admin
pri=alert vd=root user="root" ui=ssh(10.1.20.21) action=login status=failed reason="name_invalid"msg="Administrator root login failed from ssh(10.1.20.21) because of invalid user name"

Fortinet FortiGate Firewall

Fortinet FortiGate Firewall

What is Discovered and Monitored

Protocol

Information Discovered

Metrics collected

Used for

REST API

Host name, Model, Version, Interfaces, Serial Number, FortiAP and FortiSwitch managed by FortiGate.

Uptime, CPU, Memory and Disk utilization, Network Interface metrics, VPN metrics, Firewall Connection metrics

Performance and Availability Monitoring

SNMP Host name, Hardware model, Network interfaces, Operating system version Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths).
For 5xxx series firewalls, per CPU utilization (event PH_DEV_MON_FORTINET_PROCESSOR_USGE)
Availability and Performance Monitoring
Telnet/SSH Running configuration Configuration Change Performance Monitoring, Security and Compliance
Syslog Device type All traffic and system logs Availability, Security and Compliance
Netflow Firewall traffic, application detection and application link usage metrics Security monitoring and compliance, Firewall Link Usage and Application monitoring

Event Types

In ADMIN > Device Support > Event Types, search for "fortigate" to see the event types associated with this device.

Rules

In RESOURCES > Rules, search for "fortigate" in the main content panel Search... field to see the rules associated with this device.

Reports

In RESOURCES > Reports, search for "fortigate" in the main content panel Search... field to see the reports associated with this device.

Configuring FortiSIEM through FortiOS REST API

Take the following steps to configure FortiGate for FortiSIEM via the FortiOS REST API.
Note: When upgrading FortiOS, make sure to re-generate the API token in FortiGate and update the FortiSIEM Access Credentials information.

Setup of FortiGate

As an administrator with the super_admin profile, login to the FortiGate GUI and take the following steps:

Step 1: Identify your Source Address

First, identify your source IP address. The source address is needed to ensure the API token can only be used from trusted hosts. If you already know your trusted host IP address, skip to Step 2.

  1. On the FortiGate GUI, select the Status dashboard and locate the Administrators widget.
  2. Navigate to <your-userid> > Show active administrator sessions.
  3. Copy the Source Address for your <your-userid>. This information will be needed to create the Trusted Host in Step 3: Create the REST API Admin.
Step 2: Create an Administrator Profile
  1. On the FortiGate GUI, navigate to System > Admin Profiles > Create New.
  2. For Network, System, and WiFi & Switch fields, enable Read permission.

  3. Click OK.
Step 3: Create the REST API Admin
  1. On the FortiGate GUI, navigate to System > Administrators > Create New > REST API Admin.
  2. On the New REST API Admin dialog, enter the following information.
    1. In the Username field, enter a user name.
    2. (Optional) In the Comments field, enter any additional information about this account.
    3. In the Administrator Profile drop-down list, select the profile from Step 2.
    4. Disable PKI Group.
    5. Enable CORS Allow Origin, and input https://fndn.fortinet.net.
    6. In the Trusted Hosts field, enter a trusted host based off your source address. The Trusted Host must be specified to ensure that your local host can reach FortiGate. For example, to restrict requests as coming from only 10.20.100.99, enter "10.20.100.99/32". The Trusted Host is created from the Source Address obtained in Step 1: Identify your Source Address.
    7. Click OK and an API token will be generated. Copy the API token information as it is only shown once and cannot be retrieved. It will be needed for the Setup in FortiSIEM configuration.
    8. Click Close to complete the creation of the REST API Admin.
Setup in FortiSIEM

FortiSIEM can process events from FortiGate via the FortiOS REST API. Obtain your token from FortiGate (see Setup in FortiGate) before proceeding.

Complete these steps in the FortiSIEM UI:

  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials:
    1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box:

      SettingsDescription
      NameEnter a name for the credential.
      Device TypeFortinet FortiOS
      Access ProtocolFORTIOS_REST_API
      Password configManual
      TokenInput the API token from Step 3: Create the REST API Admin in Setup of FortiGate.
      Confirm TokenInput the same API token as above for verification.
      DescriptionDescription about the device
  3. In Step 2: Enter IP Range to Credential Associations, click New.
    1. Enter the FortiGate IP address or IP range in the IP/Host Name field.
    2. Select the name of your credential from the Credentials drop-down list.
    3. Click Save.
  4. Click the Test drop-down list and select Test Connectivity to test the connection to FortiGate.
  5. Navigate to ADMIN > Setup > Discover > New.
  6. In the Discovery Definition window, take the following steps:
    1. In the Name field, enter a name for this device.
    2. In the Discovery Type drop-down list, select Range Scan.
    3. In the Include field, enter the FortiGate IP address.
    4. Click Save.
  7. Navigate to ADMIN > Setup > Discovery > Discover. Your devices will be added into CMDB and 3 jobs are added in Monitor Performance.


When configuration is complete, you can do the following.

To view your devices, go to CMDB > Devices.

To see metrics for your devices, go to ADMIN > Setup > Monitor Performance.

To see received events, select ANALYTICS, then enter "PH_DEV_MON_FORTI" in the search box.

Configuring SNMP v1 or v2 on FortiGate

Follow these steps to configure SNMPv1 or v2 on FortiGate. For more information on configuring the FortiGate to allow detailed interface monitoring using SNMP, see Data Source in the FortiSIEM User’s Guide.

  1. Log in to your firewall as an administrator.
  2. Go to System > Network.
  3. Select the FortiGate interface IP that FortiSIEM will use to communicate with your device, and then click Edit.
  4. For Administrative Access, makes sure that SSH and SNMP are selected.
  5. Click OK.
  6. Go to System > Config > SNMP v1/v2c.
  7. Click Create New to enable the public community.

Configuring SNMP v3 on FortiGate

To configure SNMPv3 on a FortiGate Firewall and integrate it with FortiSIEM, take the following steps:

Setup for FortiGate
  1. Allow SNMP traffic on inbound interface where FortiSIEM collector will reach FortiGate firewall.

  2. Run the show command under the interface, then run "set allowaccess option1 option2 snmp", replacing the options with the preexisting values, adding snmp to the end.

    The following example has the FortiSIEM collector polling inbound on interface port 1.

    config system interface
    edit "port1"
     show
     set allowaccess snmp
    end
    config system snmp sysinfo
     set status enable
     set description "Description of device"
     set contact-info "Optional contact info"
     set location "Optional location info"
    end
  3. Replace the sha and aes passwords with your own, and for notify-hosts, enter the IP address of your FortiSIEM collector that will be polling the FortiGate unit.

    config system snmp user
    edit "fortisiem_user"
     set status enable
     set queries enable
     set security-level auth-priv
     set auth-proto sha
     set auth-pwd "yourShaPassword1"
     set priv-proto aes
     set priv-pwd "yourAesPassword1"
     set notify-hosts "192.168.1.2"
     next
    end
Setup in FortiSIEM

Complete these steps in the FortiSIEM UI:

  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials, click New to create a new credential.
    1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box:

      SettingsDescription
      NameEnter a name for the credential.
      Device TypeGeneric
      Access ProtocolSNMP v3
      Security LevelauthPriv
      Security Namefortisiem_user or <your SNMPv3 username here>
      Auth ProtocolSHA

      Auth Password

      <your password>

      Priv Protocol

      AES

      Priv Password

      <your password>

      Context

      You can leave this field blank.

      DescriptionOptional, you can explain which devices this credential is used for.
  3. In Step 2: Enter IP Range to Credential Associations, click New to create a new mapping.
    Note: If multiple collectors, use the collector drop-down list to select which collector will do the polling. If you have only 1 collector, no drop-down list will appear.
    1. Enter a host name, an IP, or an IP range in the IP/Host Name field. You can add multiple IPs by using a comma as a separator, for example:
      192.168.1.1,192.168.2.1,192.168.3.1
    2. Select the name of your credential from the Credentials drop-down list.
    3. Click Save.

  4. Click the Test drop-down list and select Test Connectivity without Ping to test the connection. If it fails, ensure the firewall is configured correctly, that SNMP is allowed from the collector on UDP 161, and that the correct SNMPv3 user and password is being used.
  5. Click the Discovery tab. If there is more than one collector, select from the drop-down list the collector you'd like to do the polling.
  6. In the include list, enter the same comma separated IP list as before.

  7. Optionally, you can disable ICMP alive check by selecting Options > Do not ping before discovery.

  8. Click Save.

  9. Select the new discovery, and click Discover. Wait for it to finish, or click run in background.

  10. Click the CMDB tab, and confirm that the devices are discovered via SNMP.

Configuring SSH on FortiSIEM to communicate with FortiGate

caution icon

FortiSIEM Collector SSH Client, when communicating to FortiGate via SSH, may use the public key authentication method first. This may fail and create some alerts in FortiGate. To prevent this, modify the per user config file as follows:

  1. Log in to the FortiSIEM node that communicates to FortiGate via SSH, as admin.
  2. Open /opt/phoenix/bin/.ssh/config and create a new file, if necessary.
  3. Add these two lines and save:
    PreferredAuthentications password
    PubkeyAuthentication no
  4. Ensure that the owner is admin:
    chown admin.admin /opt/phoenix/bin/.ssh/config
    chmod 600 /opt/phoenix/bin/.ssh/config
  5. Verify using the commands:
    su admin
    ssh -v <fgt host>

    Verification is successful if the following files are found:

Alternatively, modify the global ssh_config file as below. Since this is a global configuration, all programs will use this setting.

  1. Log in to a FortiSIEM node that communicates to FortiGate via SSH, as root.
  2. Open /etc/ssh/ssh_config
  3. Add these two lines:
    PreferredAuthentications password
    PubkeyAuthentication no

These commands are used for discovery and performance monitoring via SSH. Please make sure that the access credentials you provide in FortiSIEM have the permissions necessary to execute these commands on the device.

show firewall address

show full-configuration

Sending Logs Over VPN

If you are sending these logs across a VPN, Fortigate will try to use the WAN interface for the source of all system traffic. You can change this by setting the source-ip option to the IP used on the Fortigates Internal/LAN interface.

With the Web GUI
  1. Log in to your firewall as an administrator.
  2. Go to Log & Report > Log Config > syslog.
  3. Enter the IP Address, Port Number, and Minimum Log Level and Facility for your FortiSIEM virtual appliance.
  4. Make sure that CSV format is not selected.
With the CLI
  1. Connect to the Fortigate firewall over SSH and log in.
  2. To configure your firewall to send syslog over UDP, enter this command, replacing the IP address 192.168.53.2 with the IP address of your FortiSIEM virtual appliance.
    config log syslogd setting
        set status enable
        set server "192.168.53.2"    
    set facility user set port 514 end
  3. Verify the settings.
    frontend # show log syslogd setting
    config log syslogd setting
        set status enable
        set server "192.168.53.2"    
    set facility user end

Configuring FortiSIEM for SNMP and SSH access to FortiGate

You can now configure FortiSIEM to communicate with your device by following the instructions in the User Guide > Section: Configuring FortiSIEM > Discovering Infrastructure > Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics under Discovering Infrastructure.

Configuring FortiAnalyzer to send logs to FortiSIEM

If you are already sending FortiGate logs to FortiAnalyzer, then you can forward those logs to FortiSIEM by configuring FortiAnalyzer as follows:

Setting Up the Syslog Server
  1. Login to FortiAnalyzer.
  2. Go to System Settings > Advanced > Syslog Server.
    1. Click the Create New button.
    2. Enter the Name. (It is recommended to use the name of the FortiSIEM server.)
    3. Fill in the IP address (or FQDN) with the IP or a fully qualified name of the FortiSIEM server.
    4. Leave the Syslog Server Port to the default value '514'.
    5. Click OK to save your entries.
Pre-Configuration for Log Forwarding

To configure FortiAnalyzer event forwarding to FortiSIEM, you must first set up the following.

  1. 1. Install a FortiSIEM collector in the same subnet as FortiAnalyzer that will be forwarding the events.
    Note: The same subnet request is required as FortiAnalyzer will later be configured to spoof packets to the collector. RPF (reverse path forwarding checks) on network equipment would have to be disabled if FortiAnalyzer and collector existed on different subnets.

  2. 2. It is recommended that for every 5,000 EPS (events per second) ingested, you add 1 collector that is 8vCPU, 8GB RAM. If you have more than 5,000 EPS forwarding from FortiAnalyzer, please set up a load balancer with multiple collectors behind it, allowing UDP 514 inbound.

Configuring Log Forwarding

Take the following steps to configure log forwarding on FortiAnalyzer.

  1. Go to System Settings > Log Forwarding.

  2. Click the Create New button in the toolbar. The Create New Log Forwarding pane opens.

  3. fill in the information as per the below table, then click OK to create the new log forwarding. The FortiAnalyzer device will start forwarding logs to the server.

    Field Input
    Name FortiSIEM-Forwarding
    Status On
    Remote Server Type Syslog
    Compression OFF
    Sending Frequency Real-time

    Log Forwarding Filters

    Select all desired Administrative Domains (ADOMs) / device logs you’d like to forward

  4. Go to the CLI Console and configure the CLI only log forward option by running the following CLI commands.
    Notes:

    • Logs received by FortiAnalyzer, and then forwarded to FortiSIEM, have the source IP of the log packet overwritten with the IP address of the FortiAnalyzer appliance. This hides the “true” source of the log packet from FortiSIEM. To override this behavior, FortiAnalyzer can spoof the original log sender's IP address when forwarding to FortiSIEM. This allows FortiSIEM collectors to receive all the original information as if it received the logs directly from the originating device.

    • For FortiAnalyzer versions 6.0 and later, use the following CLI:
      Notes:

      Replace <id> with the actual name of the log forward created earlier.

      You can run "set server-name..." or "set server-ip...". Fortinet recommends using set server-ip "a.b.c.d", so you do not require name resolution of the Collector.

      config system log-forward
          edit <id>
              set mode forwarding
              set fwd-max-delay realtime
              set server-name "<FSM_Collector>"   
              set server-ip "a.b.c.d"
              set fwd-log-source-ip original_ip
              set fwd-server-type syslog
          next
      end
    • For FortiAnalyzer versions 5.6 to 5.9, use the following CLI:
      Note: Replace <id> with the actual name of the log forward created earlier.

      config system log-forward
        edit <id>
         set mode forwarding
         set fwd-max-delay realtime
         set server-ip "a.b.c.d"
         set fwd-log-source-ip original_ip
         set fwd-server-type syslog
       next
      end
    • For FortiAnalyzer versions earlier than 5.6, use the following CLI:
      Note: For <id>, you can choose the number for your FortiSIEM syslog entry.

      config system aggregation-client
        edit <id> 
          set fwd-log-source-ip original_ip
      end
    Configuring FortiSIEM Collector to Receive Logs from FortiAnalyzer

    To configure the FortiSIEM collector to receive logs from FortiAnalyzer, you will need to disable RPF checks that would normally cause the collector virtual machine from dropping the log packet as it is spoofed.

    sysctl -w net.ipv4.conf.all.rp_filter=0

    To make this change persistent across reboots, add the following code to the /etc/sysctl.conf file.

    net.ipv4.conf.all.rp_filter=0

Configuring FortiGate to send Netflow via CLI

  1. Connect to the Fortigate firewall over SSH and log in.
  2. To configure your firewall to send Netflow over UDP, enter the following commands:

    config system netflow

    set collector-ip <FortiSIEM IP>

    set collector-port 2055

    end

  3. Enable Netflow on the appropriate interfaces, replacing port1 with your interface name:

    config system interface

    edit port1

    set netflow-sampler both

    end

  4. Optional - Using Netflow with VDOMs
    For VDOM environments, excluding the management VDOM, Netflow must be configured using the following CLI commands:

    con global

    con sys netflow

    set collector-ip <FortiSIEM IP>

    set collector-port 2055

    set source-ip <source-ip>

    end

    end

    con vdom

    edit root (root is an example, change to the required VDOM name.)

    con sys interface

    edit wan1 (change the interface to the one to use.)

    set netflow-sampler both

    end

    end

Configuring FortiGate to send Application names in Netflow via GUI

  1. Login to FortiGate.
  2. Go to Policy & Objects > IPv4 Policy.
  3. Click on the Policy IDs you wish to receive application information from.
  4. Add SSL inspection and App Control on the policy by clicking the + button in the Security Profiles column.

Example of FortiGate Syslog parsed by FortiSIEM

<185>date=2010-04-11 time=20:31:25 devname=APS3012404200944 device_id=APS3012404200944 log_id=0104032002 type=event subtype=admin
pri=alert vd=root user="root" ui=ssh(10.1.20.21) action=login status=failed reason="name_invalid"msg="Administrator root login failed from ssh(10.1.20.21) because of invalid user name"