Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • External Systems Configuration Guide

    Home FortiSIEM 6.7.5 External Systems Configuration Guide
    6.7.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.7.9
    6.7.8
    6.7.7
    6.7.6
    6.7.5
    6.7.4
    6.7.3
    6.7.2
    6.7.1
    6.7.0
    6.6.5
    6.6.4
    6.6.3
    6.6.2
    6.6.1
    6.6.0
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    6.1.0
    5.4.0
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.0.0

    Palo Alto Cortex XDR

    Palo Alto Cortex XDR

    Event Types

    In ADMIN > Device Support > Event Types, search for "cortexXDR" to see the event types associated with this device. In FortiSIEM 6.3.0, there are 9 event types for Cortex XDR.

    Rules

    In RESOURCES > Rules, search for "cortex" in the main content panel Search... field.

    Reports

    No specific reports are available for Palo Alto Cortex XDR.

    Configuration

    For the latest Palo Alto Cortex XDR documentation, see https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/logs/integrate-a-syslog-receiver-for-outbound-notifications.html.

    Public or Self Signed Certificate Configuration

    Fortinet recommends configuring Syslog over TLS for Cortex XDR.

    You can generate either a public certificate or a self signed certificate.

    Prerequisites

    • Ensure you have a collector that is publicly exposed (has a public IP with port TCP 6514 open).

    • Be sure to specify a valid FQDN when registering the collector, and make sure a public DNS A record exists for it.

    • Add a whitelist to restrict all traffic only from these destinations based on your region listed in the documentation here.

    Public Certificate Generation and Application Configuration

    Take the following steps:

    1. Generate a SSL/TLS certificate using a public certificate. A public certificate can be signed by a public certificate authority (CA) such as DigiCert, or GoDaddy.

    2. Run the following command on your collector to generate a CSR (Certificate Signing Request)

      cd /tmp

      openssl req -new -newkey rsa:4096 -nodes -keyout /etc/pki/tls/private/tls-collector1.key -out tls-collector1.csr

    3. Take the following actions when prompted.

      1. When Prompted for Country Name, enter your Country Abbreviation. For example, the United States is "US".

      2. Enter your State or Province. For example, California would be "CA".

      3. Enter your Locality. For example, a city would be "Sunnyvale".

      4. Enter your desired org name. For example, "Fortinet".

      5. Enter Unit Name, which is optional. For example, "IT".

      6. Enter Common Name. It must match the FQDN of collector. For example, "collector1.myorg.fortinet.com".

      7. Email Address. This can be left blank. Hit "enter" to continue.

      8. If prompted for a challenge password, hit "enter" to leave blank and continue.

      9. Hit enter again to confirm.
        A Certificate Signing Request is created in /tmp/tls-collector1.csr.

    4. Using WinScp or another SCP utility, download this CSR file to your desktop.

    5. Go to your preferred public CA, and upload this CSR when prompted to generate a new SSL certificate file.

      When you have your new Certificate ZIP file, it will normally contain 2-3 files.

    6. WinSCP zip file to /tmp of the Collector.

    7. Unzip the file if needed, by using the following command.

      unzip <filename>.zip

      The .crt file is your certificate, and is usually a concatenation of all chain certificates.

    8. Rename the cert files if needed using similar commands here.

      cd /tmp

      mv 11111111.crt tls-collector1.crt

    9. Copy the cert to the correct folder using the following command.

      cp tls-collector1.crt /etc/pki/tls/certs/tls-collector1.crt

    10. Set permissions using the following command.
      chmod 644 /etc/pki/tls/certs/tls-collector1.crt

      chmod 640 /etc/pki/tls/private/tls-collector1.key

      chown root:admin /etc/pki/tls/private/tls-collector1.key

    11. On the Collector, update the /opt/phoenix/config/phoenix_config.txt file to reference the new tls cert using the following command.
      vi /opt/phoenix/config/phoenix_config.txt

    12. Locate the following lines in your phoenix_config.txt file.
      listen_tls_port_list=6514

      tls_certificate_file=/etc/pki/tls/certs/localhost.crt

      tls_key_file=/etc/pki/tls/private/localhost.key

      and replace the cert and key file with the following:

      listen_tls_port_list=6514

      tls_certificate_file=/etc/pki/tls/certs/tls-collector1.crt

      tls_key_file=/etc/pki/tls/private/tls-collector1.key

    13. Save the file, and as root, restart phParser using the following command.

      killall -9 phParser

    14. Define the Syslog server parameters (See step 4 in Integrate a Syslog Receiver for more information).

      • Name: FortiSIEM_Public_Collector

      • Destination: Pulbic IP or FQDN of FortiSIEM Collector

      • Port: 6514

      • Facility: Informational, or Default Value

      • Protocol: TCP + SSL/TLS

      • Certificate: You do not need to upload as it is a public signed SSL certificate.

    15. Click Create.

    Self Signed Certificate Generation and Application Configuration

    Take the following steps:

    1. On the Collector, run the following commands as root.

      cd /tmp

      openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -keyout /etc/pki/tls/private/tls-collector1.key -out /etc/pki/tls/certs/tls-collector1.crt

    2. Take the following actions when prompted.

      1. When Prompted for Country Name, enter your Country Abbreviation. For example, the United States is "US".

      2. Enter your State or Province. For example, California would be "CA".

      3. Enter your Locality. For example, a city would be "Sunnyvale".

      4. Enter your desired org name. For example, "Fortinet".

      5. Enter Unit Name, which is optional. For example, "IT".

      6. Enter Common Name. It must match the FQDN of collector. For example, "collector1.myorg.fortinet.com".

      7. Email Address. This can be left blank. Hit "enter" to continue.

      8. If prompted for a challenge password, hit "enter" to leave blank and continue.

      9. Hit enter again to confirm.

    3. Set the appropriate permissions for the private key and certificate generated, by running the following commands.

      chmod 640 /etc/pki/tls/private/tls-collector1.key

      chown root:admin /etc/pki/tls/private/tls-collector1.key

      chmod 644 /etc/pki/tls/certs/tls-collector1.crt

    4. On the collector, update the /opt/phoenix/config/phoenix_config.txt file to reference the new tls certificate by editing the file, running the following command.

      vi /opt/phoenix/config/phoenix_config.txt

    5. Find the following lines in the file.

      listen_tls_port_list=6514

      tls_certificate_file=/etc/pki/tls/certs/localhost.crt

      tls_key_file=/etc/pki/tls/private/localhost.key

      and replace the cert and key file with the following:

      listen_tls_port_list=6514

      tls_certificate_file=/etc/pki/tls/certs/tls-collector1.crt

      tls_key_file=/etc/pki/tls/private/tls-collector1.key

    6. Save the file, and as root, restart phParser using the following command.

      killall -9 phParser

    7. Make a copy of the certificate file to /tmp, and using WinSCP or another SCP utility, download the Collector Certificate file. For example, you may run the following command.

      cp /etc/pki/tls/certs/tls-collector1.crt /tmp

    8. Download /tmp/tls-collector1.crt to your desktop.

      Note: You only need the Certificate file and not the private key. The private key will never leave the collector.

    9. Define the Syslog server parameters (See step 4 in Integrate a Syslog Receiver for more information).

      • Name: FortiSIEM_Public_Collector

      • Destination: Pulbic IP or FQDN of FortiSIEM Collector

      • Port: 6514

      • Facility: Informational, or Default Value

      • Protocol: TCP + SSL/TLS

      • Certificate: You do not need to upload as it is a public signed SSL certifcate.

      • Select Ignore Certificate Error.

    10. Click Create.


    Previous
    Next

    Palo Alto Cortex XDR

    Palo Alto Cortex XDR

    Event Types

    In ADMIN > Device Support > Event Types, search for "cortexXDR" to see the event types associated with this device. In FortiSIEM 6.3.0, there are 9 event types for Cortex XDR.

    Rules

    In RESOURCES > Rules, search for "cortex" in the main content panel Search... field.

    Reports

    No specific reports are available for Palo Alto Cortex XDR.

    Configuration

    For the latest Palo Alto Cortex XDR documentation, see https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/logs/integrate-a-syslog-receiver-for-outbound-notifications.html.

    Public or Self Signed Certificate Configuration

    Fortinet recommends configuring Syslog over TLS for Cortex XDR.

    You can generate either a public certificate or a self signed certificate.

    Prerequisites

    • Ensure you have a collector that is publicly exposed (has a public IP with port TCP 6514 open).

    • Be sure to specify a valid FQDN when registering the collector, and make sure a public DNS A record exists for it.

    • Add a whitelist to restrict all traffic only from these destinations based on your region listed in the documentation here.

    Public Certificate Generation and Application Configuration

    Take the following steps:

    1. Generate a SSL/TLS certificate using a public certificate. A public certificate can be signed by a public certificate authority (CA) such as DigiCert, or GoDaddy.

    2. Run the following command on your collector to generate a CSR (Certificate Signing Request)

      cd /tmp

      openssl req -new -newkey rsa:4096 -nodes -keyout /etc/pki/tls/private/tls-collector1.key -out tls-collector1.csr

    3. Take the following actions when prompted.

      1. When Prompted for Country Name, enter your Country Abbreviation. For example, the United States is "US".

      2. Enter your State or Province. For example, California would be "CA".

      3. Enter your Locality. For example, a city would be "Sunnyvale".

      4. Enter your desired org name. For example, "Fortinet".

      5. Enter Unit Name, which is optional. For example, "IT".

      6. Enter Common Name. It must match the FQDN of collector. For example, "collector1.myorg.fortinet.com".

      7. Email Address. This can be left blank. Hit "enter" to continue.

      8. If prompted for a challenge password, hit "enter" to leave blank and continue.

      9. Hit enter again to confirm.
        A Certificate Signing Request is created in /tmp/tls-collector1.csr.

    4. Using WinScp or another SCP utility, download this CSR file to your desktop.

    5. Go to your preferred public CA, and upload this CSR when prompted to generate a new SSL certificate file.

      When you have your new Certificate ZIP file, it will normally contain 2-3 files.

    6. WinSCP zip file to /tmp of the Collector.

    7. Unzip the file if needed, by using the following command.

      unzip <filename>.zip

      The .crt file is your certificate, and is usually a concatenation of all chain certificates.

    8. Rename the cert files if needed using similar commands here.

      cd /tmp

      mv 11111111.crt tls-collector1.crt

    9. Copy the cert to the correct folder using the following command.

      cp tls-collector1.crt /etc/pki/tls/certs/tls-collector1.crt

    10. Set permissions using the following command.
      chmod 644 /etc/pki/tls/certs/tls-collector1.crt

      chmod 640 /etc/pki/tls/private/tls-collector1.key

      chown root:admin /etc/pki/tls/private/tls-collector1.key

    11. On the Collector, update the /opt/phoenix/config/phoenix_config.txt file to reference the new tls cert using the following command.
      vi /opt/phoenix/config/phoenix_config.txt

    12. Locate the following lines in your phoenix_config.txt file.
      listen_tls_port_list=6514

      tls_certificate_file=/etc/pki/tls/certs/localhost.crt

      tls_key_file=/etc/pki/tls/private/localhost.key

      and replace the cert and key file with the following:

      listen_tls_port_list=6514

      tls_certificate_file=/etc/pki/tls/certs/tls-collector1.crt

      tls_key_file=/etc/pki/tls/private/tls-collector1.key

    13. Save the file, and as root, restart phParser using the following command.

      killall -9 phParser

    14. Define the Syslog server parameters (See step 4 in Integrate a Syslog Receiver for more information).

      • Name: FortiSIEM_Public_Collector

      • Destination: Pulbic IP or FQDN of FortiSIEM Collector

      • Port: 6514

      • Facility: Informational, or Default Value

      • Protocol: TCP + SSL/TLS

      • Certificate: You do not need to upload as it is a public signed SSL certificate.

    15. Click Create.

    Self Signed Certificate Generation and Application Configuration

    Take the following steps:

    1. On the Collector, run the following commands as root.

      cd /tmp

      openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -keyout /etc/pki/tls/private/tls-collector1.key -out /etc/pki/tls/certs/tls-collector1.crt

    2. Take the following actions when prompted.

      1. When Prompted for Country Name, enter your Country Abbreviation. For example, the United States is "US".

      2. Enter your State or Province. For example, California would be "CA".

      3. Enter your Locality. For example, a city would be "Sunnyvale".

      4. Enter your desired org name. For example, "Fortinet".

      5. Enter Unit Name, which is optional. For example, "IT".

      6. Enter Common Name. It must match the FQDN of collector. For example, "collector1.myorg.fortinet.com".

      7. Email Address. This can be left blank. Hit "enter" to continue.

      8. If prompted for a challenge password, hit "enter" to leave blank and continue.

      9. Hit enter again to confirm.

    3. Set the appropriate permissions for the private key and certificate generated, by running the following commands.

      chmod 640 /etc/pki/tls/private/tls-collector1.key

      chown root:admin /etc/pki/tls/private/tls-collector1.key

      chmod 644 /etc/pki/tls/certs/tls-collector1.crt

    4. On the collector, update the /opt/phoenix/config/phoenix_config.txt file to reference the new tls certificate by editing the file, running the following command.

      vi /opt/phoenix/config/phoenix_config.txt

    5. Find the following lines in the file.

      listen_tls_port_list=6514

      tls_certificate_file=/etc/pki/tls/certs/localhost.crt

      tls_key_file=/etc/pki/tls/private/localhost.key

      and replace the cert and key file with the following:

      listen_tls_port_list=6514

      tls_certificate_file=/etc/pki/tls/certs/tls-collector1.crt

      tls_key_file=/etc/pki/tls/private/tls-collector1.key

    6. Save the file, and as root, restart phParser using the following command.

      killall -9 phParser

    7. Make a copy of the certificate file to /tmp, and using WinSCP or another SCP utility, download the Collector Certificate file. For example, you may run the following command.

      cp /etc/pki/tls/certs/tls-collector1.crt /tmp

    8. Download /tmp/tls-collector1.crt to your desktop.

      Note: You only need the Certificate file and not the private key. The private key will never leave the collector.

    9. Define the Syslog server parameters (See step 4 in Integrate a Syslog Receiver for more information).

      • Name: FortiSIEM_Public_Collector

      • Destination: Pulbic IP or FQDN of FortiSIEM Collector

      • Port: 6514

      • Facility: Informational, or Default Value

      • Protocol: TCP + SSL/TLS

      • Certificate: You do not need to upload as it is a public signed SSL certifcate.

      • Select Ignore Certificate Error.

    10. Click Create.


    Previous
    Next