Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • External Systems Configuration Guide

    Home FortiSIEM 6.7.5 External Systems Configuration Guide
    6.7.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.7.9
    6.7.8
    6.7.7
    6.7.6
    6.7.5
    6.7.4
    6.7.3
    6.7.2
    6.7.1
    6.7.0
    6.6.5
    6.6.4
    6.6.3
    6.6.2
    6.6.1
    6.6.0
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    6.1.0
    5.4.0
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.0.0

    Syslog over TLS

    Syslog over TLS

    To receive syslog over TLS, a port must be enabled and certificates must be defined. The following configurations are already added to phoenix_config.txt in Super/Worker and Collector nodes.

    FortiSIEM 5.x:

    listen_tls_port_list=6514

    tls_certificate_file=/etc/pki/tls/certs/tls_self_signed.crt

    tls_key_file=/etc/pki/tls/private/tls_self_signed.key

    FortiSIEM 6.x:

    listen_tls_port_list=6514

    tls_certificate_file=/etc/pki/tls/certs/localhost.crt

    tls_key_file=/etc/pki/tls/private/localhost.key

    Note: the syslog over TLS client must be configured to communicate properly with FortiSIEM.

    Common Reasons to use Syslog over TLS

    • You are trying to send syslog across an unprotected medium such as the public internet.

    • A SaaS product on the Public internet supports sending Syslog over TLS.

    Common Integrations that require Syslog over TLS

    • SentinelOne Portal Syslog Integration

    • Cortex XDR Syslog Integration

    Prerequisites

    • If using Syslog over TLS over the public internet or with a public DNS, a public IP or port forwarding is required.

    • Add a whitelist to restrict all traffic only from the senders source IPs if possible. Certain SaaS products may publish an IP whitelist, while for others, it may not be possible.

    How to Generate a Public SSL/TLS Certificate

    Take the following steps:

    1. Generate a SSL/TLS certificate using a public certificate. A public certificate can be signed by a public certificate authority (CA) such as DigiCert, or GoDaddy.

    2. Run the following command on your collector to generate a CSR (Certificate Signing Request)

      cd /tmp

      openssl req -new -newkey rsa:4096 -nodes -keyout /etc/pki/tls/private/tls-collector1.key -out tls-collector1.csr

    3. Take the following actions when prompted.

      1. When Prompted for Country Name, enter your Country Abbreviation. For example, the United States is "US".

      2. Enter your State or Province. For example, California would be "CA".

      3. Enter your Locality. For example, a city would be "Sunnyvale".

      4. Enter your desired org name. For example, "Fortinet".

      5. Enter Unit Name, which is optional. For example, "IT".

      6. Enter Common Name. It must match the FQDN of collector. For example, "collector1.myorg.fortinet.com".

      7. Email Address. This can be left blank. Hit "enter" to continue.

      8. If prompted for a challenge password, hit "enter" to leave blank and continue.

      9. Hit enter again to confirm.
        A Certificate Signing Request is created in /tmp/tls-collector1.csr.

    4. Using WinScp or another SCP utility, download this CSR file to your desktop.

    5. Go to your preferred public CA, and upload this CSR when prompted to generate a new SSL certificate file.

      When you have your new Certificate ZIP file, it will normally contain 2-3 files.

    6. WinSCP zip file to /tmp of the Collector.

    7. Unzip the file if needed, by using the following command.

      unzip <filename>.zip

      The .crt file is your certificate, and is usually a concatenation of all chain certificates.

    8. Rename the cert files if needed using similar commands here.

      cd /tmp

      mv 11111111.crt tls-collector1.crt

    9. Copy the cert to the correct folder using the following command.

      cp tls-collector1.crt /etc/pki/tls/certs/tls-collector1.crt

    10. Set permissions using the following command.
      chmod 644 /etc/pki/tls/certs/tls-collector1.crt

      chmod 640 /etc/pki/tls/private/tls-collector1.key

      chown root:admin /etc/pki/tls/private/tls-collector1.key

    11. On the Collector, update the /opt/phoenix/config/phoenix_config.txt file to reference the new tls cert using the following command.
      vi /opt/phoenix/config/phoenix_config.txt

    12. Locate the following lines in your phoenix_config.txt file.
      listen_tls_port_list=6514

      tls_certificate_file=/etc/pki/tls/certs/localhost.crt

      tls_key_file=/etc/pki/tls/private/localhost.key

      and replace the cert and key file with the following:

      listen_tls_port_list=6514

      tls_certificate_file=/etc/pki/tls/certs/tls-collector1.crt

      tls_key_file=/etc/pki/tls/private/tls-collector1.key

    13. Save the file, and as root, restart phParser using the following command.

      killall -9 phParser

    How to Generate a Self Signed SSL/TLS Certificate

    Take the following steps:

    1. On the Collector, run the following commands as root.

      cd /tmp

      openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -keyout /etc/pki/tls/private/tls-collector1.key -out /etc/pki/tls/certs/tls-collector1.crt

    2. Take the following actions when prompted.

      1. When Prompted for Country Name, enter your Country Abbreviation. For example, the United States is "US".

      2. Enter your State or Province. For example, California would be "CA".

      3. Enter your Locality. For example, a city would be "Sunnyvale".

      4. Enter your desired org name. For example, "Fortinet".

      5. Enter Unit Name, which is optional. For example, "IT".

      6. Enter Common Name. It must match the FQDN of collector. For example, "collector1.myorg.fortinet.com".

      7. Email Address. This can be left blank. Hit "enter" to continue.

      8. If prompted for a challenge password, hit "enter" to leave blank and continue.

      9. Hit enter again to confirm.

    3. Set the appropriate permissions for the private key and certificate generated, by running the following commands.

      chmod 640 /etc/pki/tls/private/tls-collector1.key

      chown root:admin /etc/pki/tls/private/tls-collector1.key

      chmod 644 /etc/pki/tls/certs/tls-collector1.crt

    4. On the collector, update the /opt/phoenix/config/phoenix_config.txt file to reference the new tls certificate by editing the file, running the following command.

      vi /opt/phoenix/config/phoenix_config.txt

    5. Find the following lines in the file.

      listen_tls_port_list=6514

      tls_certificate_file=/etc/pki/tls/certs/localhost.crt

      tls_key_file=/etc/pki/tls/private/localhost.key

      and replace the cert and key file with the following:

      listen_tls_port_list=6514

      tls_certificate_file=/etc/pki/tls/certs/tls-collector1.crt

      tls_key_file=/etc/pki/tls/private/tls-collector1.key

    6. Save the file, and as root, restart phParser using the following command.

      killall -9 phParser

    7. Make a copy of the certificate file to /tmp, and using WinSCP or another SCP utility, download the Collector Certificate file. For example, you may run the following command.

      cp /etc/pki/tls/certs/tls-collector1.crt /tmp

    8. Download /tmp/tls-collector1.crt to your desktop.

      Note: You only need the Certificate file and not the private key. The private key will never leave the collector.

    Previous
    Next

    Syslog over TLS

    Syslog over TLS

    To receive syslog over TLS, a port must be enabled and certificates must be defined. The following configurations are already added to phoenix_config.txt in Super/Worker and Collector nodes.

    FortiSIEM 5.x:

    listen_tls_port_list=6514

    tls_certificate_file=/etc/pki/tls/certs/tls_self_signed.crt

    tls_key_file=/etc/pki/tls/private/tls_self_signed.key

    FortiSIEM 6.x:

    listen_tls_port_list=6514

    tls_certificate_file=/etc/pki/tls/certs/localhost.crt

    tls_key_file=/etc/pki/tls/private/localhost.key

    Note: the syslog over TLS client must be configured to communicate properly with FortiSIEM.

    Common Reasons to use Syslog over TLS

    • You are trying to send syslog across an unprotected medium such as the public internet.

    • A SaaS product on the Public internet supports sending Syslog over TLS.

    Common Integrations that require Syslog over TLS

    • SentinelOne Portal Syslog Integration

    • Cortex XDR Syslog Integration

    Prerequisites

    • If using Syslog over TLS over the public internet or with a public DNS, a public IP or port forwarding is required.

    • Add a whitelist to restrict all traffic only from the senders source IPs if possible. Certain SaaS products may publish an IP whitelist, while for others, it may not be possible.

    How to Generate a Public SSL/TLS Certificate

    Take the following steps:

    1. Generate a SSL/TLS certificate using a public certificate. A public certificate can be signed by a public certificate authority (CA) such as DigiCert, or GoDaddy.

    2. Run the following command on your collector to generate a CSR (Certificate Signing Request)

      cd /tmp

      openssl req -new -newkey rsa:4096 -nodes -keyout /etc/pki/tls/private/tls-collector1.key -out tls-collector1.csr

    3. Take the following actions when prompted.

      1. When Prompted for Country Name, enter your Country Abbreviation. For example, the United States is "US".

      2. Enter your State or Province. For example, California would be "CA".

      3. Enter your Locality. For example, a city would be "Sunnyvale".

      4. Enter your desired org name. For example, "Fortinet".

      5. Enter Unit Name, which is optional. For example, "IT".

      6. Enter Common Name. It must match the FQDN of collector. For example, "collector1.myorg.fortinet.com".

      7. Email Address. This can be left blank. Hit "enter" to continue.

      8. If prompted for a challenge password, hit "enter" to leave blank and continue.

      9. Hit enter again to confirm.
        A Certificate Signing Request is created in /tmp/tls-collector1.csr.

    4. Using WinScp or another SCP utility, download this CSR file to your desktop.

    5. Go to your preferred public CA, and upload this CSR when prompted to generate a new SSL certificate file.

      When you have your new Certificate ZIP file, it will normally contain 2-3 files.

    6. WinSCP zip file to /tmp of the Collector.

    7. Unzip the file if needed, by using the following command.

      unzip <filename>.zip

      The .crt file is your certificate, and is usually a concatenation of all chain certificates.

    8. Rename the cert files if needed using similar commands here.

      cd /tmp

      mv 11111111.crt tls-collector1.crt

    9. Copy the cert to the correct folder using the following command.

      cp tls-collector1.crt /etc/pki/tls/certs/tls-collector1.crt

    10. Set permissions using the following command.
      chmod 644 /etc/pki/tls/certs/tls-collector1.crt

      chmod 640 /etc/pki/tls/private/tls-collector1.key

      chown root:admin /etc/pki/tls/private/tls-collector1.key

    11. On the Collector, update the /opt/phoenix/config/phoenix_config.txt file to reference the new tls cert using the following command.
      vi /opt/phoenix/config/phoenix_config.txt

    12. Locate the following lines in your phoenix_config.txt file.
      listen_tls_port_list=6514

      tls_certificate_file=/etc/pki/tls/certs/localhost.crt

      tls_key_file=/etc/pki/tls/private/localhost.key

      and replace the cert and key file with the following:

      listen_tls_port_list=6514

      tls_certificate_file=/etc/pki/tls/certs/tls-collector1.crt

      tls_key_file=/etc/pki/tls/private/tls-collector1.key

    13. Save the file, and as root, restart phParser using the following command.

      killall -9 phParser

    How to Generate a Self Signed SSL/TLS Certificate

    Take the following steps:

    1. On the Collector, run the following commands as root.

      cd /tmp

      openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -keyout /etc/pki/tls/private/tls-collector1.key -out /etc/pki/tls/certs/tls-collector1.crt

    2. Take the following actions when prompted.

      1. When Prompted for Country Name, enter your Country Abbreviation. For example, the United States is "US".

      2. Enter your State or Province. For example, California would be "CA".

      3. Enter your Locality. For example, a city would be "Sunnyvale".

      4. Enter your desired org name. For example, "Fortinet".

      5. Enter Unit Name, which is optional. For example, "IT".

      6. Enter Common Name. It must match the FQDN of collector. For example, "collector1.myorg.fortinet.com".

      7. Email Address. This can be left blank. Hit "enter" to continue.

      8. If prompted for a challenge password, hit "enter" to leave blank and continue.

      9. Hit enter again to confirm.

    3. Set the appropriate permissions for the private key and certificate generated, by running the following commands.

      chmod 640 /etc/pki/tls/private/tls-collector1.key

      chown root:admin /etc/pki/tls/private/tls-collector1.key

      chmod 644 /etc/pki/tls/certs/tls-collector1.crt

    4. On the collector, update the /opt/phoenix/config/phoenix_config.txt file to reference the new tls certificate by editing the file, running the following command.

      vi /opt/phoenix/config/phoenix_config.txt

    5. Find the following lines in the file.

      listen_tls_port_list=6514

      tls_certificate_file=/etc/pki/tls/certs/localhost.crt

      tls_key_file=/etc/pki/tls/private/localhost.key

      and replace the cert and key file with the following:

      listen_tls_port_list=6514

      tls_certificate_file=/etc/pki/tls/certs/tls-collector1.crt

      tls_key_file=/etc/pki/tls/private/tls-collector1.key

    6. Save the file, and as root, restart phParser using the following command.

      killall -9 phParser

    7. Make a copy of the certificate file to /tmp, and using WinSCP or another SCP utility, download the Collector Certificate file. For example, you may run the following command.

      cp /etc/pki/tls/certs/tls-collector1.crt /tmp

    8. Download /tmp/tls-collector1.crt to your desktop.

      Note: You only need the Certificate file and not the private key. The private key will never leave the collector.

    Previous
    Next