Fortinet white logo
Fortinet white logo

External Systems Configuration Guide

Fortinet FortiGate Firewall

Fortinet FortiGate Firewall

Support Added: FortiSIEM 4.7.2

Last Modification: FortiSIEM 7.0.0

Vendor Version Tested: FortiGate 7.2.4

Vendor: Fortinet

Product Information: https://www.fortinet.com/products/next-generation-firewall

What is Discovered and Monitored

Protocol

Information Discovered

Metrics collected

Used for

Netflow Firewall traffic, application detection and application link usage metrics Security monitoring and compliance, Firewall Link Usage and Application monitoring

REST API

Host name, Model, Version, Interfaces, Serial Number, FortiAP and FortiSwitch managed by FortiGate.

Uptime, CPU, Memory and Disk utilization, Network Interface metrics, VPN metrics, Firewall Connection metrics
FortiGate Security Fabric Discovery - Adjacent firewall Host name, Model, Version, Serial Number.

Fortinet Security Fabric - Risk Rating Dashboard - Fabric root risk rating data.

FortiGate User Device Store Discovery - Discover FortiClient installed hosts passing through Firewalls.

Performance and Availability Monitoring

SNMP Host name, Hardware model, Network interfaces, Operating system version Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths).
For 5xxx series firewalls, per CPU utilization (event PH_DEV_MON_FORTINET_PROCESSOR_USGE)
Availability and Performance Monitoring
Syslog Device type All traffic and system logs Availability, Security and Compliance
SSH Running configuration Configuration Change Performance Monitoring, Security and Compliance

Overview

FortiSIEM offers multiple ways to monitor FortiGate firewalls using Syslog, REST API discovery, Netflow, SNMP, or SSH.

Notes:

If you have REST API discovery configured, and scheduled on a recurring basis - SNMP and SSH is no longer required.

REST API collects health data using performance monitor jobs, same as SNMP.

Netflow is optional - Syslog session logs will report bytes sent/recv, packets sent/recv and other details typically periodically for long running sessions, and on session close, which is usually sufficient.

For customers that demand real-time traffic sampling, they can enable Netflow forwarding to FSM at their leisure, however FortiGate performance will be affected based on traffic sampling rate, and log (Events per second) volume to FortiSIEM collectors will greatly increase.

REST API collects config backups on discovery (if the config changed since the prior firewall discovery), SSH is no longer needed for this operation.

REST API FortiGate Fabric Discovery features are only available if the FortiGate is a standalone fabric root firewall, or is a member of a FortiGate fabric.

Event Types

In ADMIN > Device Support > Event Types, search for "fortigate" to see the event types associated with this device.

Rules

In RESOURCES > Rules, search for "fortigate" in the main content panel Search... field to see the rules associated with this device.

Reports

In RESOURCES > Reports, search for "fortigate" in the main content panel Search... field to see the reports associated with this device.

Suggested Integration

For most use cases and integration needs, using the FortiGate API and Syslog integration will collect the necessary performance, configuration and security information.

If a FortiAnalyzer is receiving FortiGate logs, alternatively forward syslog from the FortiAnalyzer to FortiSIEM. Do not forward logs from a FortiGate and FortiAnalyzer to FortiSIEM as this will case duplicate events to be received by FortiSIEM (one from FortiGate and another from FortiAnalyzer).

Configuration FortiOS REST API Integration
Overview

In 7.0.0, FortiSIEM has expanded discovery support for FortiGate firewalls using API key-based discovery with the following API Discovery enhancements:

  • FortiGate software modules and their expiry data if applicable can be found under Device -> Software -> Installed Software

  • FortiGate running processes now listed under Device -> Software -> Running Applications

  • Processor core list can now be found under Device -> Hardware -> Processors

  • Physical memory utilization can now be found under Device -> Hardware -> Storage

  • FortiGate startup config backups can be found under Device -> Configuration.

  • SSH discovery is no longer required for config backups, backups are collected via API

  • SNMP discovery is no longer required for FortiGate performance data collection.

FortiGate Security Fabric Discovery Support

FortiSIEM now supports discovery of Fortinet Security Fabric member devices.

If a discovered firewall is a member of, or the root firewall of a security fabric, FortiSIEM can now discover the directly configured Firewall, and do a light (basic data) discovery of adjacent FortiGate firewalls in the fabric. For more information about Fortinet Security Fabric, see the following documentation: https://docs.fortinet.com/security-fabric.

The above screenshot is an example of after directly discovering a FortiGate root firewall in the security fabric, that a basic discovery is automatically done of all other FortiGate firewalls in the fabric.

In addition to supporting discovery of devices attached to the Fortinet Security Fabric, there is a new concept of a deep (complete) discovery, and shallow (light) discovery of FortiGate devices.

If you configure a FortiGate firewall with an API key, and configure that FortiGate in FortiSIEM for discovery, the complete information of that device, attached switches, and access points will be imported.

FortiSIEM will also look at attached security fabric devices, and do a light discovery of adjacent FortiGate firewalls only. This is considered a "light" discovery. This consists of basic information such as:

  • hostname

  • access IP (usually the management IP of the Firewall)

  • version

  • serial number

In order to get complete information about every firewall, you must configure an API key and directly discover each one within FortiSIEM.

Fortinet Security Fabric - Risk Rating Dashboard

For FortiGate firewalls with security fabric enabled, and is joined to a fabric, the root firewall appliance begins aggregating security risk data from all member devices for reporting display.

If you directly discover a FortiGate operating as the root firewall of the security fabric, you will also populate the Security Fabric - Security Rating report data into FortiSIEM. This will populate the dashboard found under the Dashboard Security Fabric -> Security Rating > Security Posture.

Note for Managed Security Service Providers (MSSPs): You must be in organization scope to see this dashboard.

The above screenshot shows an example of Security Fabrics security posture key details when the FortiGate Root Firewall in the fabric is discovered.

FortiGate User Device Store Discovery

FortiGate firewalls have a powerful repository of detected/fingerprinted devices that have passed through the Firewall, including devices running FortiClient and utilizing the Fortinet ZTNA architecture. If you directly discovery a firewall, FortiGate will populate the UEBA identity and location dashboard with seen devices, enabling FortiSIEM to make use of user and device relational mapping in your organization.

Note: The identity and location (UEBA) dashboard is auto populated with the FortiGate User/Device Store data during each discovery. This is used for event enrichment when data is missing from some events.

Additionally, if the device is running FortiClient, it will be discovered as unmanaged by default. You can later select endpoints of interest to mark as managed in FortiSIEM, consuming a device license.

Discovery of FortiClient devices provides the following (found under CMDB Devices -> Given device running FortiClient -> Summary -> Security Fabric Attributes.

  • A count of all vulnerabilities on this device (since last vulnerability scan via FortiClient), categorized by critical, high , medium, low, and informational.

  • Stored data about which EMS serial number it is registered to, its usage in certain remediation (automated response) scripts to tag/untag hosts in FortiEMS server.

  • Purdue Level of the device if FortiGate has assigned it.

  • FortiEMS tags associated with the host (e.g. tag suspicious, or tag critical_host) - See more information below about FortiSIEM's use of tags for SOAR remediations here.

For more information about data collected in the FortiGate Firewall User Device Store, please see the Device inventory topic in the FortiGate / FortiOS Administration Guide.

Setting Up FortiGate Firewall for REST API Communication via GUI

Setup Instructions:

Note on FortiGate REST API User permissions: If you just want to collect audit and performance data from a FortiGate, and no configuration backups, you can assign an admin profile with read only for all access controls. If however, you would like configuration backups via the REST API, certain write permissions are needed to accomplish this.

To collect config backups in addition to other data, take the following steps:

Section 1: Create Admin Profile (RBAC Role)

  1. Login to FortiGate Firewall GUI.

  2. Navigate to System > Admin Profiles, and select Create New.

    1. In the Name field, enter the name the new profile, for example: "Read_Plus_Backup".

    2. In the Access Permissions window, for Access Control, take the following steps.

      1. Select Read for all Access Control except the following:

        • User & Device: Set control to Read/Write.

        • System > Administrator Users: Set control to Read/Write.

    3. Optionally, if the firewall is a multi-vdom firewall, ensure the Scope option is set to "Global".

      Note: Config backups per vdom is not supported at this time.

    4. Click OK.

Section 2: Create Rest API User Account and Assign Admin Profile

Now define a REST API User account, and give it this new profile. Set any preferred IP restrictions (preferably restrict the account to the collector Source IP).

  1. On the FortiGate GUI, navigate to System > Administrators > Create New > REST API Admin.
  2. On the New REST API Admin dialog, enter the following information.
    1. In the Username field, enter a user name.
    2. (Optional) In the Comments field, enter any additional information about this account.
    3. In the Administrator Profile drop-down list, select the "Read_Plus_Backup" profile.
    4. Disable PKI Group.
    5. Enable CORS Allow Origin, and input https://fndn.fortinet.net.
    6. In the Trusted Hosts field, enter a trusted host based off your source address. The Trusted Host must be specified to ensure that your local host can reach FortiGate. For example, to restrict requests as coming from only 10.20.100.99, enter "10.20.100.99/32". The Trusted Host is created from the Source Address. (From the FortiGate GUI, select the Status dashboard, navigate to <your-userid>, show active administrator sessions and copy the source address of your <your-userid>.
    7. Click OK and an API token will be generated. Copy the API token information as it is only shown once and cannot be retrieved. It will be needed for the Setup in FortiSIEM configuration.
    8. Click Close to complete the creation of the REST API Admin.
  1. Configure FortiSIEM with the new REST API credential (See Configure FortiSIEM with FortiGate REST API Credentials).

Setting up FortiGate Firewall for REST API communication via CLI

To configure via the CLI, take the following steps.

Note: It is most ideal to restrict the user to only the source IP of the collector doing the discovery, in our example below our collector IP is 192.168.1.25. This allows the user to only authenticate to the Firewall via this source IP.

If you experience connectivity issues, you can temporarily remove the trusted host configuration, and test.

Collector -> FortiGate firewall on administrator port must be allowed inbound to Firewall.

*if multi-vdom, enter "config global" first.

Section 1: Create Admin Profile (RBAC Role)

Create an admin profile using the following:

config system accprofile
    edit "Read_Plus_Backup"
set scope global set secfabgrp read
set ftviewgrp read set authgrp read-write set sysgrp custom set netgrp read set loggrp read
set fwgrp read
set vpngrp read
set utmgrp read
set wanoptgrp read set wifi read
config sysgrp-permission set admin read-write
set upd read set cfg read set mnt read end next
end

Section 2: Create Rest API User Account and Assign Admin Profile

Now configure the user, using the following:

config system api-user
    edit "fortisiem_user"
        set accprofile "Read_Plus_Backup"
        set vdom "root"
        config trusthost
            edit 1
                set ipv4-trusthost 192.168.1.25 255.255.255.255
            next
        end
    next
end

Now finally, generate the api key.

execute api-user generate-key fortisiem_user

Note the output API key and store in password management utility. This will be placed in FortiSIEM credential (Device Type: Fortinet FortiOS, Access Protocol: FORTIOS_REST_API).

Proceed to Configure FortiSIEM with FortiGate REST API Credentials.

Configure FortiSIEM with FortiGate REST API Credentials

FortiSIEM can process events from FortiGate via the FortiOS REST API. Obtain your token from FortiGate (see Setup in FortiGate) before proceeding.

Complete these steps in the FortiSIEM UI:

  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials:
    1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box:

      SettingsDescription
      NameEnter a name for the credential.
      Device TypeFortinet FortiOS
      Access ProtocolFORTIOS_REST_API
      Password configManual
      TokenInput the API token from the REST API User account.
      Confirm TokenInput the same API token as above for verification.
      DescriptionDescription about the device.
  3. In Step 2: Enter IP Range to Credential Associations, click New.
    1. Enter the FortiGate IP address or IP range in the IP/Host Name field.
    2. Select the name of your credential from the Credentials drop-down list.
    3. Click Save.
  4. Click the Test drop-down list and select Test Connectivity to test the connection to FortiGate.
  5. Navigate to ADMIN > Setup > Discover > New.
  6. In the Discovery Definition window, take the following steps:
    1. In the Name field, enter a name for this device.
    2. In the Discovery Type drop-down list, select Range Scan.
    3. In the Include field, enter the FortiGate IP address.
    4. Click Save.
  7. Navigate to ADMIN > Setup > Discovery > Discover. Your devices will be added into CMDB and 3 jobs are added in Monitor Performance.


When configuration is complete, you can do the following.

To view your devices, go to CMDB > Devices.


If you discover a FortiGate firewall that has a number of FortiClient managed devices passing through it, as shown in the example screenshot here, you will discover those devices as unmanaged within the CMDB.

These FortiClient Devices in the CMDB now have additional attributes such as vulnerability counts, ZTNA tags, and purdue level assigned by the FortiGate as shown in the example screenshot below.


To see metrics for your devices, go to ADMIN > Setup > Monitor Performance.

To see received events, select ANALYTICS, then enter "PH_DEV_MON_FORTI" in the search box.

Configuring FortiGate to send Syslog to FortiSIEM

To configure FortiGate to send logs to FortiSIEM over Syslog, take the following steps either via the Web GUI or CLI.

  • Web GUI

  • CLI

With the Web GUI

  1. Log in to your firewall as an administrator.

  2. Go to Log & Report > Log Config > syslog.

  3. Enter the following for your FortiSIEM virtual appliance:

    • IP Address

    • Port Number

    • Minimum Log Level and Facility

  4. Make sure that CSV format is not selected.

With the CLI

  1. Connect to the FortiGate firewall over SSH and log in.

  2. To configure your firewall to send syslog over UDP, enter this command, replacing the IP address 192.168.53.2 with the IP address of your FortiSIEM virtual appliance.

    config log syslogd setting
    set status enable set server "192.168.53.2" set facility user
    set port 514 end
  3. Verify the settings.

    frontend # show log syslogd 
    setting config log syslogd setting set status enable set server "192.168.53.2" set facility user end
Sending Logs Over VPN

If you are sending these logs across a VPN, FortiGate will try to use the WAN interface for the source of all system traffic. You can change this by setting the source-ip option to the IP used on the FortiGate Internal/LAN interface.

SNMP Monitoring of FortiGate

Monitoring of a FortiGate for performance monitoring using SNMP is not typically required if using the FortiGate API for monitoring. If using FortiSIEM to monitor the interface and application usage, helpful for SDWAN monitoring, then a specific SNMP configuration will be required on the FortiGate, detailed in Interface Usage Dashboard in the FortiSIEM Online Help.

Configuring SNMP v1 or v2 on FortiGate

Follow these steps to configure SNMPv1 or v2 on FortiGate. For more information on configuring the FortiGate to allow detailed interface monitoring using SNMP, see Data Source in the FortiSIEM User’s Guide.

  1. Log in to your firewall as an administrator.
  2. Go to System > Network.
  3. Select the FortiGate interface IP that FortiSIEM will use to communicate with your device, and then click Edit.
  4. For Administrative Access, makes sure that SSH and SNMP are selected.
  5. Click OK.
  6. Go to System > Config > SNMP v1/v2c.
  7. Click Create New to enable the public community.

Configuring SNMP v3 on FortiGate

To configure SNMPv3 on a FortiGate Firewall and integrate it with FortiSIEM, take the following steps:

Setup for FortiGate
  1. Allow SNMP traffic on inbound interface where FortiSIEM collector will reach FortiGate firewall.

  2. Run the show command under the interface, then run "set allowaccess option1 option2 snmp", replacing the options with the preexisting values, adding snmp to the end.

    The following example has the FortiSIEM collector polling inbound on interface port 1.

    config system interface
    edit "port1"
     show
     set allowaccess snmp
    end
    config system snmp sysinfo
     set status enable
     set description "Description of device"
     set contact-info "Optional contact info"
     set location "Optional location info"
    end
  3. Replace the sha and aes passwords with your own, and for notify-hosts, enter the IP address of your FortiSIEM collector that will be polling the FortiGate unit.

    config system snmp user
    edit "fortisiem_user"
     set status enable
     set queries enable
     set security-level auth-priv
     set auth-proto sha
     set auth-pwd "yourShaPassword1"
     set priv-proto aes
     set priv-pwd "yourAesPassword1"
     set notify-hosts "192.168.1.2"
     next
    end
Setup in FortiSIEM

Complete these steps in the FortiSIEM UI:

  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials, click New to create a new credential.
    1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box:

      SettingsDescription
      NameEnter a name for the credential.
      Device TypeGeneric
      Access ProtocolSNMP v3
      Security LevelauthPriv
      Security Namefortisiem_user or <your SNMPv3 username here>
      Auth ProtocolSHA

      Auth Password

      <your password>

      Priv Protocol

      AES

      Priv Password

      <your password>

      Context

      You can leave this field blank.

      DescriptionOptional, you can explain which devices this credential is used for.
  3. In Step 2: Enter IP Range to Credential Associations, click New to create a new mapping.
    Note: If multiple collectors, use the collector drop-down list to select which collector will do the polling. If you have only 1 collector, no drop-down list will appear.
    1. Enter a host name, an IP, or an IP range in the IP/Host Name field. You can add multiple IPs by using a comma as a separator, for example:
      192.168.1.1,192.168.2.1,192.168.3.1
    2. Select the name of your credential from the Credentials drop-down list.
    3. Click Save.

  4. Click the Test drop-down list and select Test Connectivity without Ping to test the connection. If it fails, ensure the firewall is configured correctly, that SNMP is allowed from the collector on UDP 161, and that the correct SNMPv3 user and password is being used.
  5. Click the Discovery tab. If there is more than one collector, select from the drop-down list the collector you'd like to do the polling.
  6. In the include list, enter the same comma separated IP list as before.

  7. Optionally, you can disable ICMP alive check by selecting Options > Do not ping before discovery.

  8. Click Save.

  9. Select the new discovery, and click Discover. Wait for it to finish, or click run in background.

  10. Click the CMDB tab, and confirm that the devices are discovered via SNMP.

Configuring SSH on FortiSIEM to communicate with FortiGate

caution icon

FortiSIEM Collector SSH Client, when communicating to FortiGate via SSH, may use the public key authentication method first. This may fail and create some alerts in FortiGate. To prevent this, modify the per user config file as follows:

  1. Log in to the FortiSIEM node that communicates to FortiGate via SSH, as admin.
  2. Open /opt/phoenix/bin/.ssh/config and create a new file, if necessary.
  3. Add these two lines and save:
    PreferredAuthentications password
    PubkeyAuthentication no
  4. Ensure that the owner is admin:
    chown admin.admin /opt/phoenix/bin/.ssh/config
    chmod 600 /opt/phoenix/bin/.ssh/config
  5. Verify using the commands:
    su admin
    ssh -v <fgt host>

    Verification is successful if the following files are found:

Alternatively, modify the global ssh_config file as below. Since this is a global configuration, all programs will use this setting.

  1. Log in to a FortiSIEM node that communicates to FortiGate via SSH, as root.
  2. Open /etc/ssh/ssh_config
  3. Add these two lines:
    PreferredAuthentications password
    PubkeyAuthentication no

SSH Credentials are not normally necessary if using the FortiGate API discovery method, as the FortiGate configuration can also be monitored via the API. You may wish to use the SSH credential for some remediation actions such as “Block Source IP FortiOS 7.x via SSH” and “Block Source MAC FortiOS 7.x via SSH”. See Remediations in the FortiSIEM Online Help for more information. FortiGate remediation action “Block Source IP FortiOS 7.x via FortiOS API” can also be performed via API.

These commands are used for discovery and performance monitoring via SSH. Please make sure that the access credentials you provide in FortiSIEM have the permissions necessary to execute these commands on the device.

show firewall address

show full-configuration

Configuring FortiSIEM for SNMP and SSH access to FortiGate

You can now configure FortiSIEM to communicate with your device by following the instructions in the User Guide > Section: Configuring FortiSIEM > Discovering Infrastructure > Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics under Discovering Infrastructure.

Configuring FortiAnalyzer to send logs to FortiSIEM

If you are already sending FortiGate logs to FortiAnalyzer, then you can forward those logs to FortiSIEM by configuring FortiAnalyzer as follows:

Setting Up the Syslog Server
  1. Login to FortiAnalyzer.
  2. Go to System Settings > Advanced > Syslog Server.
    1. Click the Create New button.
    2. Enter the Name. (It is recommended to use the name of the FortiSIEM server.)
    3. Fill in the IP address (or FQDN) with the IP or a fully qualified name of the FortiSIEM server.
    4. Leave the Syslog Server Port to the default value '514'.
    5. Click OK to save your entries.
Pre-Configuration for Log Forwarding

To configure FortiAnalyzer event forwarding to FortiSIEM, you must first set up the following.

  1. 1. Install a FortiSIEM collector in the same subnet as FortiAnalyzer that will be forwarding the events.
    Note: The same subnet request is required as FortiAnalyzer will later be configured to spoof packets to the collector. RPF (reverse path forwarding checks) on network equipment would have to be disabled if FortiAnalyzer and collector existed on different subnets.

  2. 2. It is recommended that for every 5,000 EPS (events per second) ingested, you add 1 collector that is 8vCPU, 8GB RAM. If you have more than 5,000 EPS forwarding from FortiAnalyzer, please set up a load balancer with multiple collectors behind it, allowing UDP 514 inbound.

Configuring Log Forwarding

Take the following steps to configure log forwarding on FortiAnalyzer.

  1. Go to System Settings > Log Forwarding.

  2. Click the Create New button in the toolbar. The Create New Log Forwarding pane opens.

  3. fill in the information as per the below table, then click OK to create the new log forwarding. The FortiAnalyzer device will start forwarding logs to the server.

    Field Input
    Name FortiSIEM-Forwarding
    Status On
    Remote Server Type Syslog
    Compression OFF
    Sending Frequency Real-time

    Log Forwarding Filters

    Select all desired Administrative Domains (ADOMs) / device logs you’d like to forward

  4. Go to the CLI Console and configure the CLI only log forward option by running the following CLI commands.
    Notes:

    • Logs received by FortiAnalyzer, and then forwarded to FortiSIEM, have the source IP of the log packet overwritten with the IP address of the FortiAnalyzer appliance. This hides the “true” source of the log packet from FortiSIEM. To override this behavior, FortiAnalyzer can spoof the original log sender's IP address when forwarding to FortiSIEM. This allows FortiSIEM collectors to receive all the original information as if it received the logs directly from the originating device.

    • For FortiAnalyzer versions 6.0 and later, use the following CLI:
      Notes:

      Replace <id> with the actual name of the log forward created earlier.

      You can run "set server-name..." or "set server-ip...". Fortinet recommends using set server-ip "a.b.c.d", so you do not require name resolution of the Collector.

      config system log-forward
          edit <id>
              set mode forwarding
              set fwd-max-delay realtime
              set server-name "<FSM_Collector>"   
              set server-ip "a.b.c.d"
              set fwd-log-source-ip original_ip
              set fwd-server-type syslog
          next
      end
    • For FortiAnalyzer versions 5.6 to 5.9, use the following CLI:
      Note: Replace <id> with the actual name of the log forward created earlier.

      config system log-forward
        edit <id>
         set mode forwarding
         set fwd-max-delay realtime
         set server-ip "a.b.c.d"
         set fwd-log-source-ip original_ip
         set fwd-server-type syslog
       next
      end
    • For FortiAnalyzer versions earlier than 5.6, use the following CLI:
      Note: For <id>, you can choose the number for your FortiSIEM syslog entry.

      config system aggregation-client
        edit <id> 
          set fwd-log-source-ip original_ip
      end
    Configuring FortiSIEM Collector to Receive Logs from FortiAnalyzer

    To configure the FortiSIEM collector to receive logs from FortiAnalyzer, you will need to disable RPF checks that would normally cause the collector virtual machine from dropping the log packet as it is spoofed.

    sysctl -w net.ipv4.conf.all.rp_filter=0

    To make this change persistent across reboots, add the following code to the /etc/sysctl.conf file.

    net.ipv4.conf.all.rp_filter=0

Configuring FortiGate to send Netflow via CLI

  1. Connect to the Fortigate firewall over SSH and log in.
  2. To configure your firewall to send Netflow over UDP, enter the following commands:

    config system netflow

    set collector-ip <FortiSIEM IP>

    set collector-port 2055

    end

  3. Enable Netflow on the appropriate interfaces, replacing port1 with your interface name:

    config system interface

    edit port1

    set netflow-sampler both

    end

  4. Optional - Using Netflow with VDOMs
    For VDOM environments, excluding the management VDOM, Netflow must be configured using the following CLI commands:

    con global

    con sys netflow

    set collector-ip <FortiSIEM IP>

    set collector-port 2055

    set source-ip <source-ip>

    end

    end

    con vdom

    edit root (root is an example, change to the required VDOM name.)

    con sys interface

    edit wan1 (change the interface to the one to use.)

    set netflow-sampler both

    end

    end

Configuring FortiGate to send Application names in Netflow via GUI

  1. Login to FortiGate.
  2. Go to Policy & Objects > IPv4 Policy.
  3. Click on the Policy IDs you wish to receive application information from.
  4. Add SSL inspection and App Control on the policy by clicking the + button in the Security Profiles column.

Example of FortiGate Syslog parsed by FortiSIEM

<185>date=2010-04-11 time=20:31:25 devname=APS3012404200944 device_id=APS3012404200944 log_id=0104032002 type=event subtype=admin
pri=alert vd=root user="root" ui=ssh(10.1.20.21) action=login status=failed reason="name_invalid"msg="Administrator root login failed from ssh(10.1.20.21) because of invalid user name"

Fortinet FortiGate Firewall

Fortinet FortiGate Firewall

Support Added: FortiSIEM 4.7.2

Last Modification: FortiSIEM 7.0.0

Vendor Version Tested: FortiGate 7.2.4

Vendor: Fortinet

Product Information: https://www.fortinet.com/products/next-generation-firewall

What is Discovered and Monitored

Protocol

Information Discovered

Metrics collected

Used for

Netflow Firewall traffic, application detection and application link usage metrics Security monitoring and compliance, Firewall Link Usage and Application monitoring

REST API

Host name, Model, Version, Interfaces, Serial Number, FortiAP and FortiSwitch managed by FortiGate.

Uptime, CPU, Memory and Disk utilization, Network Interface metrics, VPN metrics, Firewall Connection metrics
FortiGate Security Fabric Discovery - Adjacent firewall Host name, Model, Version, Serial Number.

Fortinet Security Fabric - Risk Rating Dashboard - Fabric root risk rating data.

FortiGate User Device Store Discovery - Discover FortiClient installed hosts passing through Firewalls.

Performance and Availability Monitoring

SNMP Host name, Hardware model, Network interfaces, Operating system version Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths).
For 5xxx series firewalls, per CPU utilization (event PH_DEV_MON_FORTINET_PROCESSOR_USGE)
Availability and Performance Monitoring
Syslog Device type All traffic and system logs Availability, Security and Compliance
SSH Running configuration Configuration Change Performance Monitoring, Security and Compliance

Overview

FortiSIEM offers multiple ways to monitor FortiGate firewalls using Syslog, REST API discovery, Netflow, SNMP, or SSH.

Notes:

If you have REST API discovery configured, and scheduled on a recurring basis - SNMP and SSH is no longer required.

REST API collects health data using performance monitor jobs, same as SNMP.

Netflow is optional - Syslog session logs will report bytes sent/recv, packets sent/recv and other details typically periodically for long running sessions, and on session close, which is usually sufficient.

For customers that demand real-time traffic sampling, they can enable Netflow forwarding to FSM at their leisure, however FortiGate performance will be affected based on traffic sampling rate, and log (Events per second) volume to FortiSIEM collectors will greatly increase.

REST API collects config backups on discovery (if the config changed since the prior firewall discovery), SSH is no longer needed for this operation.

REST API FortiGate Fabric Discovery features are only available if the FortiGate is a standalone fabric root firewall, or is a member of a FortiGate fabric.

Event Types

In ADMIN > Device Support > Event Types, search for "fortigate" to see the event types associated with this device.

Rules

In RESOURCES > Rules, search for "fortigate" in the main content panel Search... field to see the rules associated with this device.

Reports

In RESOURCES > Reports, search for "fortigate" in the main content panel Search... field to see the reports associated with this device.

Suggested Integration

For most use cases and integration needs, using the FortiGate API and Syslog integration will collect the necessary performance, configuration and security information.

If a FortiAnalyzer is receiving FortiGate logs, alternatively forward syslog from the FortiAnalyzer to FortiSIEM. Do not forward logs from a FortiGate and FortiAnalyzer to FortiSIEM as this will case duplicate events to be received by FortiSIEM (one from FortiGate and another from FortiAnalyzer).

Configuration FortiOS REST API Integration
Overview

In 7.0.0, FortiSIEM has expanded discovery support for FortiGate firewalls using API key-based discovery with the following API Discovery enhancements:

  • FortiGate software modules and their expiry data if applicable can be found under Device -> Software -> Installed Software

  • FortiGate running processes now listed under Device -> Software -> Running Applications

  • Processor core list can now be found under Device -> Hardware -> Processors

  • Physical memory utilization can now be found under Device -> Hardware -> Storage

  • FortiGate startup config backups can be found under Device -> Configuration.

  • SSH discovery is no longer required for config backups, backups are collected via API

  • SNMP discovery is no longer required for FortiGate performance data collection.

FortiGate Security Fabric Discovery Support

FortiSIEM now supports discovery of Fortinet Security Fabric member devices.

If a discovered firewall is a member of, or the root firewall of a security fabric, FortiSIEM can now discover the directly configured Firewall, and do a light (basic data) discovery of adjacent FortiGate firewalls in the fabric. For more information about Fortinet Security Fabric, see the following documentation: https://docs.fortinet.com/security-fabric.

The above screenshot is an example of after directly discovering a FortiGate root firewall in the security fabric, that a basic discovery is automatically done of all other FortiGate firewalls in the fabric.

In addition to supporting discovery of devices attached to the Fortinet Security Fabric, there is a new concept of a deep (complete) discovery, and shallow (light) discovery of FortiGate devices.

If you configure a FortiGate firewall with an API key, and configure that FortiGate in FortiSIEM for discovery, the complete information of that device, attached switches, and access points will be imported.

FortiSIEM will also look at attached security fabric devices, and do a light discovery of adjacent FortiGate firewalls only. This is considered a "light" discovery. This consists of basic information such as:

  • hostname

  • access IP (usually the management IP of the Firewall)

  • version

  • serial number

In order to get complete information about every firewall, you must configure an API key and directly discover each one within FortiSIEM.

Fortinet Security Fabric - Risk Rating Dashboard

For FortiGate firewalls with security fabric enabled, and is joined to a fabric, the root firewall appliance begins aggregating security risk data from all member devices for reporting display.

If you directly discover a FortiGate operating as the root firewall of the security fabric, you will also populate the Security Fabric - Security Rating report data into FortiSIEM. This will populate the dashboard found under the Dashboard Security Fabric -> Security Rating > Security Posture.

Note for Managed Security Service Providers (MSSPs): You must be in organization scope to see this dashboard.

The above screenshot shows an example of Security Fabrics security posture key details when the FortiGate Root Firewall in the fabric is discovered.

FortiGate User Device Store Discovery

FortiGate firewalls have a powerful repository of detected/fingerprinted devices that have passed through the Firewall, including devices running FortiClient and utilizing the Fortinet ZTNA architecture. If you directly discovery a firewall, FortiGate will populate the UEBA identity and location dashboard with seen devices, enabling FortiSIEM to make use of user and device relational mapping in your organization.

Note: The identity and location (UEBA) dashboard is auto populated with the FortiGate User/Device Store data during each discovery. This is used for event enrichment when data is missing from some events.

Additionally, if the device is running FortiClient, it will be discovered as unmanaged by default. You can later select endpoints of interest to mark as managed in FortiSIEM, consuming a device license.

Discovery of FortiClient devices provides the following (found under CMDB Devices -> Given device running FortiClient -> Summary -> Security Fabric Attributes.

  • A count of all vulnerabilities on this device (since last vulnerability scan via FortiClient), categorized by critical, high , medium, low, and informational.

  • Stored data about which EMS serial number it is registered to, its usage in certain remediation (automated response) scripts to tag/untag hosts in FortiEMS server.

  • Purdue Level of the device if FortiGate has assigned it.

  • FortiEMS tags associated with the host (e.g. tag suspicious, or tag critical_host) - See more information below about FortiSIEM's use of tags for SOAR remediations here.

For more information about data collected in the FortiGate Firewall User Device Store, please see the Device inventory topic in the FortiGate / FortiOS Administration Guide.

Setting Up FortiGate Firewall for REST API Communication via GUI

Setup Instructions:

Note on FortiGate REST API User permissions: If you just want to collect audit and performance data from a FortiGate, and no configuration backups, you can assign an admin profile with read only for all access controls. If however, you would like configuration backups via the REST API, certain write permissions are needed to accomplish this.

To collect config backups in addition to other data, take the following steps:

Section 1: Create Admin Profile (RBAC Role)

  1. Login to FortiGate Firewall GUI.

  2. Navigate to System > Admin Profiles, and select Create New.

    1. In the Name field, enter the name the new profile, for example: "Read_Plus_Backup".

    2. In the Access Permissions window, for Access Control, take the following steps.

      1. Select Read for all Access Control except the following:

        • User & Device: Set control to Read/Write.

        • System > Administrator Users: Set control to Read/Write.

    3. Optionally, if the firewall is a multi-vdom firewall, ensure the Scope option is set to "Global".

      Note: Config backups per vdom is not supported at this time.

    4. Click OK.

Section 2: Create Rest API User Account and Assign Admin Profile

Now define a REST API User account, and give it this new profile. Set any preferred IP restrictions (preferably restrict the account to the collector Source IP).

  1. On the FortiGate GUI, navigate to System > Administrators > Create New > REST API Admin.
  2. On the New REST API Admin dialog, enter the following information.
    1. In the Username field, enter a user name.
    2. (Optional) In the Comments field, enter any additional information about this account.
    3. In the Administrator Profile drop-down list, select the "Read_Plus_Backup" profile.
    4. Disable PKI Group.
    5. Enable CORS Allow Origin, and input https://fndn.fortinet.net.
    6. In the Trusted Hosts field, enter a trusted host based off your source address. The Trusted Host must be specified to ensure that your local host can reach FortiGate. For example, to restrict requests as coming from only 10.20.100.99, enter "10.20.100.99/32". The Trusted Host is created from the Source Address. (From the FortiGate GUI, select the Status dashboard, navigate to <your-userid>, show active administrator sessions and copy the source address of your <your-userid>.
    7. Click OK and an API token will be generated. Copy the API token information as it is only shown once and cannot be retrieved. It will be needed for the Setup in FortiSIEM configuration.
    8. Click Close to complete the creation of the REST API Admin.
  1. Configure FortiSIEM with the new REST API credential (See Configure FortiSIEM with FortiGate REST API Credentials).

Setting up FortiGate Firewall for REST API communication via CLI

To configure via the CLI, take the following steps.

Note: It is most ideal to restrict the user to only the source IP of the collector doing the discovery, in our example below our collector IP is 192.168.1.25. This allows the user to only authenticate to the Firewall via this source IP.

If you experience connectivity issues, you can temporarily remove the trusted host configuration, and test.

Collector -> FortiGate firewall on administrator port must be allowed inbound to Firewall.

*if multi-vdom, enter "config global" first.

Section 1: Create Admin Profile (RBAC Role)

Create an admin profile using the following:

config system accprofile
    edit "Read_Plus_Backup"
set scope global set secfabgrp read
set ftviewgrp read set authgrp read-write set sysgrp custom set netgrp read set loggrp read
set fwgrp read
set vpngrp read
set utmgrp read
set wanoptgrp read set wifi read
config sysgrp-permission set admin read-write
set upd read set cfg read set mnt read end next
end

Section 2: Create Rest API User Account and Assign Admin Profile

Now configure the user, using the following:

config system api-user
    edit "fortisiem_user"
        set accprofile "Read_Plus_Backup"
        set vdom "root"
        config trusthost
            edit 1
                set ipv4-trusthost 192.168.1.25 255.255.255.255
            next
        end
    next
end

Now finally, generate the api key.

execute api-user generate-key fortisiem_user

Note the output API key and store in password management utility. This will be placed in FortiSIEM credential (Device Type: Fortinet FortiOS, Access Protocol: FORTIOS_REST_API).

Proceed to Configure FortiSIEM with FortiGate REST API Credentials.

Configure FortiSIEM with FortiGate REST API Credentials

FortiSIEM can process events from FortiGate via the FortiOS REST API. Obtain your token from FortiGate (see Setup in FortiGate) before proceeding.

Complete these steps in the FortiSIEM UI:

  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials:
    1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box:

      SettingsDescription
      NameEnter a name for the credential.
      Device TypeFortinet FortiOS
      Access ProtocolFORTIOS_REST_API
      Password configManual
      TokenInput the API token from the REST API User account.
      Confirm TokenInput the same API token as above for verification.
      DescriptionDescription about the device.
  3. In Step 2: Enter IP Range to Credential Associations, click New.
    1. Enter the FortiGate IP address or IP range in the IP/Host Name field.
    2. Select the name of your credential from the Credentials drop-down list.
    3. Click Save.
  4. Click the Test drop-down list and select Test Connectivity to test the connection to FortiGate.
  5. Navigate to ADMIN > Setup > Discover > New.
  6. In the Discovery Definition window, take the following steps:
    1. In the Name field, enter a name for this device.
    2. In the Discovery Type drop-down list, select Range Scan.
    3. In the Include field, enter the FortiGate IP address.
    4. Click Save.
  7. Navigate to ADMIN > Setup > Discovery > Discover. Your devices will be added into CMDB and 3 jobs are added in Monitor Performance.


When configuration is complete, you can do the following.

To view your devices, go to CMDB > Devices.


If you discover a FortiGate firewall that has a number of FortiClient managed devices passing through it, as shown in the example screenshot here, you will discover those devices as unmanaged within the CMDB.

These FortiClient Devices in the CMDB now have additional attributes such as vulnerability counts, ZTNA tags, and purdue level assigned by the FortiGate as shown in the example screenshot below.


To see metrics for your devices, go to ADMIN > Setup > Monitor Performance.

To see received events, select ANALYTICS, then enter "PH_DEV_MON_FORTI" in the search box.

Configuring FortiGate to send Syslog to FortiSIEM

To configure FortiGate to send logs to FortiSIEM over Syslog, take the following steps either via the Web GUI or CLI.

  • Web GUI

  • CLI

With the Web GUI

  1. Log in to your firewall as an administrator.

  2. Go to Log & Report > Log Config > syslog.

  3. Enter the following for your FortiSIEM virtual appliance:

    • IP Address

    • Port Number

    • Minimum Log Level and Facility

  4. Make sure that CSV format is not selected.

With the CLI

  1. Connect to the FortiGate firewall over SSH and log in.

  2. To configure your firewall to send syslog over UDP, enter this command, replacing the IP address 192.168.53.2 with the IP address of your FortiSIEM virtual appliance.

    config log syslogd setting
    set status enable set server "192.168.53.2" set facility user
    set port 514 end
  3. Verify the settings.

    frontend # show log syslogd 
    setting config log syslogd setting set status enable set server "192.168.53.2" set facility user end
Sending Logs Over VPN

If you are sending these logs across a VPN, FortiGate will try to use the WAN interface for the source of all system traffic. You can change this by setting the source-ip option to the IP used on the FortiGate Internal/LAN interface.

SNMP Monitoring of FortiGate

Monitoring of a FortiGate for performance monitoring using SNMP is not typically required if using the FortiGate API for monitoring. If using FortiSIEM to monitor the interface and application usage, helpful for SDWAN monitoring, then a specific SNMP configuration will be required on the FortiGate, detailed in Interface Usage Dashboard in the FortiSIEM Online Help.

Configuring SNMP v1 or v2 on FortiGate

Follow these steps to configure SNMPv1 or v2 on FortiGate. For more information on configuring the FortiGate to allow detailed interface monitoring using SNMP, see Data Source in the FortiSIEM User’s Guide.

  1. Log in to your firewall as an administrator.
  2. Go to System > Network.
  3. Select the FortiGate interface IP that FortiSIEM will use to communicate with your device, and then click Edit.
  4. For Administrative Access, makes sure that SSH and SNMP are selected.
  5. Click OK.
  6. Go to System > Config > SNMP v1/v2c.
  7. Click Create New to enable the public community.

Configuring SNMP v3 on FortiGate

To configure SNMPv3 on a FortiGate Firewall and integrate it with FortiSIEM, take the following steps:

Setup for FortiGate
  1. Allow SNMP traffic on inbound interface where FortiSIEM collector will reach FortiGate firewall.

  2. Run the show command under the interface, then run "set allowaccess option1 option2 snmp", replacing the options with the preexisting values, adding snmp to the end.

    The following example has the FortiSIEM collector polling inbound on interface port 1.

    config system interface
    edit "port1"
     show
     set allowaccess snmp
    end
    config system snmp sysinfo
     set status enable
     set description "Description of device"
     set contact-info "Optional contact info"
     set location "Optional location info"
    end
  3. Replace the sha and aes passwords with your own, and for notify-hosts, enter the IP address of your FortiSIEM collector that will be polling the FortiGate unit.

    config system snmp user
    edit "fortisiem_user"
     set status enable
     set queries enable
     set security-level auth-priv
     set auth-proto sha
     set auth-pwd "yourShaPassword1"
     set priv-proto aes
     set priv-pwd "yourAesPassword1"
     set notify-hosts "192.168.1.2"
     next
    end
Setup in FortiSIEM

Complete these steps in the FortiSIEM UI:

  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials, click New to create a new credential.
    1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box:

      SettingsDescription
      NameEnter a name for the credential.
      Device TypeGeneric
      Access ProtocolSNMP v3
      Security LevelauthPriv
      Security Namefortisiem_user or <your SNMPv3 username here>
      Auth ProtocolSHA

      Auth Password

      <your password>

      Priv Protocol

      AES

      Priv Password

      <your password>

      Context

      You can leave this field blank.

      DescriptionOptional, you can explain which devices this credential is used for.
  3. In Step 2: Enter IP Range to Credential Associations, click New to create a new mapping.
    Note: If multiple collectors, use the collector drop-down list to select which collector will do the polling. If you have only 1 collector, no drop-down list will appear.
    1. Enter a host name, an IP, or an IP range in the IP/Host Name field. You can add multiple IPs by using a comma as a separator, for example:
      192.168.1.1,192.168.2.1,192.168.3.1
    2. Select the name of your credential from the Credentials drop-down list.
    3. Click Save.

  4. Click the Test drop-down list and select Test Connectivity without Ping to test the connection. If it fails, ensure the firewall is configured correctly, that SNMP is allowed from the collector on UDP 161, and that the correct SNMPv3 user and password is being used.
  5. Click the Discovery tab. If there is more than one collector, select from the drop-down list the collector you'd like to do the polling.
  6. In the include list, enter the same comma separated IP list as before.

  7. Optionally, you can disable ICMP alive check by selecting Options > Do not ping before discovery.

  8. Click Save.

  9. Select the new discovery, and click Discover. Wait for it to finish, or click run in background.

  10. Click the CMDB tab, and confirm that the devices are discovered via SNMP.

Configuring SSH on FortiSIEM to communicate with FortiGate

caution icon

FortiSIEM Collector SSH Client, when communicating to FortiGate via SSH, may use the public key authentication method first. This may fail and create some alerts in FortiGate. To prevent this, modify the per user config file as follows:

  1. Log in to the FortiSIEM node that communicates to FortiGate via SSH, as admin.
  2. Open /opt/phoenix/bin/.ssh/config and create a new file, if necessary.
  3. Add these two lines and save:
    PreferredAuthentications password
    PubkeyAuthentication no
  4. Ensure that the owner is admin:
    chown admin.admin /opt/phoenix/bin/.ssh/config
    chmod 600 /opt/phoenix/bin/.ssh/config
  5. Verify using the commands:
    su admin
    ssh -v <fgt host>

    Verification is successful if the following files are found:

Alternatively, modify the global ssh_config file as below. Since this is a global configuration, all programs will use this setting.

  1. Log in to a FortiSIEM node that communicates to FortiGate via SSH, as root.
  2. Open /etc/ssh/ssh_config
  3. Add these two lines:
    PreferredAuthentications password
    PubkeyAuthentication no

SSH Credentials are not normally necessary if using the FortiGate API discovery method, as the FortiGate configuration can also be monitored via the API. You may wish to use the SSH credential for some remediation actions such as “Block Source IP FortiOS 7.x via SSH” and “Block Source MAC FortiOS 7.x via SSH”. See Remediations in the FortiSIEM Online Help for more information. FortiGate remediation action “Block Source IP FortiOS 7.x via FortiOS API” can also be performed via API.

These commands are used for discovery and performance monitoring via SSH. Please make sure that the access credentials you provide in FortiSIEM have the permissions necessary to execute these commands on the device.

show firewall address

show full-configuration

Configuring FortiSIEM for SNMP and SSH access to FortiGate

You can now configure FortiSIEM to communicate with your device by following the instructions in the User Guide > Section: Configuring FortiSIEM > Discovering Infrastructure > Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics under Discovering Infrastructure.

Configuring FortiAnalyzer to send logs to FortiSIEM

If you are already sending FortiGate logs to FortiAnalyzer, then you can forward those logs to FortiSIEM by configuring FortiAnalyzer as follows:

Setting Up the Syslog Server
  1. Login to FortiAnalyzer.
  2. Go to System Settings > Advanced > Syslog Server.
    1. Click the Create New button.
    2. Enter the Name. (It is recommended to use the name of the FortiSIEM server.)
    3. Fill in the IP address (or FQDN) with the IP or a fully qualified name of the FortiSIEM server.
    4. Leave the Syslog Server Port to the default value '514'.
    5. Click OK to save your entries.
Pre-Configuration for Log Forwarding

To configure FortiAnalyzer event forwarding to FortiSIEM, you must first set up the following.

  1. 1. Install a FortiSIEM collector in the same subnet as FortiAnalyzer that will be forwarding the events.
    Note: The same subnet request is required as FortiAnalyzer will later be configured to spoof packets to the collector. RPF (reverse path forwarding checks) on network equipment would have to be disabled if FortiAnalyzer and collector existed on different subnets.

  2. 2. It is recommended that for every 5,000 EPS (events per second) ingested, you add 1 collector that is 8vCPU, 8GB RAM. If you have more than 5,000 EPS forwarding from FortiAnalyzer, please set up a load balancer with multiple collectors behind it, allowing UDP 514 inbound.

Configuring Log Forwarding

Take the following steps to configure log forwarding on FortiAnalyzer.

  1. Go to System Settings > Log Forwarding.

  2. Click the Create New button in the toolbar. The Create New Log Forwarding pane opens.

  3. fill in the information as per the below table, then click OK to create the new log forwarding. The FortiAnalyzer device will start forwarding logs to the server.

    Field Input
    Name FortiSIEM-Forwarding
    Status On
    Remote Server Type Syslog
    Compression OFF
    Sending Frequency Real-time

    Log Forwarding Filters

    Select all desired Administrative Domains (ADOMs) / device logs you’d like to forward

  4. Go to the CLI Console and configure the CLI only log forward option by running the following CLI commands.
    Notes:

    • Logs received by FortiAnalyzer, and then forwarded to FortiSIEM, have the source IP of the log packet overwritten with the IP address of the FortiAnalyzer appliance. This hides the “true” source of the log packet from FortiSIEM. To override this behavior, FortiAnalyzer can spoof the original log sender's IP address when forwarding to FortiSIEM. This allows FortiSIEM collectors to receive all the original information as if it received the logs directly from the originating device.

    • For FortiAnalyzer versions 6.0 and later, use the following CLI:
      Notes:

      Replace <id> with the actual name of the log forward created earlier.

      You can run "set server-name..." or "set server-ip...". Fortinet recommends using set server-ip "a.b.c.d", so you do not require name resolution of the Collector.

      config system log-forward
          edit <id>
              set mode forwarding
              set fwd-max-delay realtime
              set server-name "<FSM_Collector>"   
              set server-ip "a.b.c.d"
              set fwd-log-source-ip original_ip
              set fwd-server-type syslog
          next
      end
    • For FortiAnalyzer versions 5.6 to 5.9, use the following CLI:
      Note: Replace <id> with the actual name of the log forward created earlier.

      config system log-forward
        edit <id>
         set mode forwarding
         set fwd-max-delay realtime
         set server-ip "a.b.c.d"
         set fwd-log-source-ip original_ip
         set fwd-server-type syslog
       next
      end
    • For FortiAnalyzer versions earlier than 5.6, use the following CLI:
      Note: For <id>, you can choose the number for your FortiSIEM syslog entry.

      config system aggregation-client
        edit <id> 
          set fwd-log-source-ip original_ip
      end
    Configuring FortiSIEM Collector to Receive Logs from FortiAnalyzer

    To configure the FortiSIEM collector to receive logs from FortiAnalyzer, you will need to disable RPF checks that would normally cause the collector virtual machine from dropping the log packet as it is spoofed.

    sysctl -w net.ipv4.conf.all.rp_filter=0

    To make this change persistent across reboots, add the following code to the /etc/sysctl.conf file.

    net.ipv4.conf.all.rp_filter=0

Configuring FortiGate to send Netflow via CLI

  1. Connect to the Fortigate firewall over SSH and log in.
  2. To configure your firewall to send Netflow over UDP, enter the following commands:

    config system netflow

    set collector-ip <FortiSIEM IP>

    set collector-port 2055

    end

  3. Enable Netflow on the appropriate interfaces, replacing port1 with your interface name:

    config system interface

    edit port1

    set netflow-sampler both

    end

  4. Optional - Using Netflow with VDOMs
    For VDOM environments, excluding the management VDOM, Netflow must be configured using the following CLI commands:

    con global

    con sys netflow

    set collector-ip <FortiSIEM IP>

    set collector-port 2055

    set source-ip <source-ip>

    end

    end

    con vdom

    edit root (root is an example, change to the required VDOM name.)

    con sys interface

    edit wan1 (change the interface to the one to use.)

    set netflow-sampler both

    end

    end

Configuring FortiGate to send Application names in Netflow via GUI

  1. Login to FortiGate.
  2. Go to Policy & Objects > IPv4 Policy.
  3. Click on the Policy IDs you wish to receive application information from.
  4. Add SSL inspection and App Control on the policy by clicking the + button in the Security Profiles column.

Example of FortiGate Syslog parsed by FortiSIEM

<185>date=2010-04-11 time=20:31:25 devname=APS3012404200944 device_id=APS3012404200944 log_id=0104032002 type=event subtype=admin
pri=alert vd=root user="root" ui=ssh(10.1.20.21) action=login status=failed reason="name_invalid"msg="Administrator root login failed from ssh(10.1.20.21) because of invalid user name"