Fortinet FortiGate Firewall
Support Added: FortiSIEM 4.7.2
Last Modification: FortiSIEM 7.0.0
Vendor Version Tested: FortiGate 7.2.4
Vendor: Fortinet
Product Information: https://www.fortinet.com/products/next-generation-firewall
- What is Discovered and Monitored
- Overview
- Event Types
- Rules
- Reports
- Suggested Integration
- Configuring FortiGate to send Syslog to FortiSIEM
- Configuring SNMP v1 or v2 on FortiGate
- Configuring SNMP v3 on FortiGate
- Configuring SSH on FortiSIEM to communicate with FortiGate
- Configuring FortiSIEM for SNMP and SSH to FortiGate
- Configuring FortiAnalyzer to send logs to FortiSIEM
- Configuring FortiGate to send Netflow via CLI
- Configuring FortiGate to send Application names in Netflow via GUI
- Example of FortiGate Syslog parsed by FortiSIEM
What is Discovered and Monitored
Protocol |
Information Discovered |
Metrics collected |
Used for |
---|---|---|---|
Netflow | Firewall traffic, application detection and application link usage metrics | Security monitoring and compliance, Firewall Link Usage and Application monitoring | |
REST API |
Host name, Model, Version, Interfaces, Serial Number, FortiAP and FortiSwitch managed by FortiGate. |
Uptime, CPU, Memory and Disk utilization, Network Interface metrics, VPN metrics, Firewall Connection metrics Fortinet Security Fabric - Risk Rating Dashboard - Fabric root risk rating data FortiGate User Device Store Discovery - Discover FortiClient installed hosts passing through Firewalls. |
Performance and Availability Monitoring |
SNMP | Host name, Hardware model, Network interfaces, Operating system version |
Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths). For 5xxx series firewalls, per CPU utilization (event PH_DEV_MON_FORTINET_PROCESSOR_USGE) |
Availability and Performance Monitoring |
Syslog | Device type | All traffic and system logs | Availability, Security and Compliance |
SSH | Running configuration | Configuration Change | Performance Monitoring, Security and Compliance |
Overview
FortiSIEM offers multiple ways to monitor FortiGate firewalls using Syslog, REST API discovery, Netflow, SNMP, or SSH.
The following sections will walk you through configuring each as desired. In FortiSIEM 7.1.0 and greater, the recommended
monitoring configuration is Syslog + REST API monitoring for most customer use cases.
Notes:
If you have REST API discovery configured, and scheduled on a recurring basis - SNMP and SSH is no longer required.
REST API collects health data using performance monitor jobs, same as SNMP.
Netflow is optional - Syslog session logs will report bytes sent/recv, packets sent/recv and other details typically periodically for long running sessions, and on session close, which is usually sufficient.
For customers that demand real-time traffic sampling, they can enable Netflow forwarding to FSM at their leisure, however FortiGate performance will be affected based on traffic sampling rate, and log (Events per second) volume to FortiSIEM collectors will greatly increase.
REST API collects config backups on discovery (if the config changed since the prior firewall discovery), SSH is no longer needed for this operation.
REST API FortiGate Fabric Discovery features are only available if the FortiGate is a standalone fabric root firewall, or is a member of a FortiGate fabric.
Event Types
In ADMIN > Device Support > Event Types, search for "fortigate" to see the event types associated with this device.
Rules
In RESOURCES > Rules, search for "fortigate" in the main content panel Search... field to see the rules associated with this device.
Reports
In RESOURCES > Reports, search for "fortigate" in the main content panel Search... field to see the reports associated with this device.
Suggested Integration
For most use cases and integration needs, using the FortiGate API and Syslog integration will collect the necessary performance, configuration and security information.
If a FortiAnalyzer is receiving FortiGate logs, alternatively forward syslog from the FortiAnalyzer to FortiSIEM. Do not forward logs from a FortiGate and FortiAnalyzer to FortiSIEM as this will case duplicate events to be received by FortiSIEM (one from FortiGate and another from FortiAnalyzer).
Configuration FortiOS REST API Integration
-
Setting Up FortiGate Firewall for REST API Communication via GUI
-
Setting Up FortiGate Firewall for REST API Communication via CLI
Overview
In 7.0.0, FortiSIEM has expanded discovery support for FortiGate firewalls using API key-based discovery with the following API Discovery enhancements:
-
FortiGate software modules and their expiry data if applicable can be found under Device -> Software -> Installed Software
-
FortiGate running processes now listed under Device -> Software -> Running Applications
-
Processor core list can now be found under Device -> Hardware -> Processors
-
Physical memory utilization can now be found under Device -> Hardware -> Storage
-
FortiGate startup config backups can be found under Device -> Configuration.
-
SSH discovery is no longer required for config backups, backups are collected via API
-
SNMP discovery is no longer required for FortiGate performance data collection.
FortiGate Security Fabric Discovery Support
FortiSIEM now supports discovery of Fortinet Security Fabric member devices.
If a discovered firewall is a member of, or the root firewall of a security fabric, FortiSIEM can now discover the directly configured Firewall, and do a light (basic data) discovery of adjacent FortiGate firewalls in the fabric. For more information about Fortinet Security Fabric, see the following documentation: https://docs.fortinet.com/security-fabric.
The above screenshot is an example of after directly discovering a FortiGate root firewall in the security fabric, that a basic discovery is automatically done of all other FortiGate firewalls in the fabric.
In addition to supporting discovery of devices attached to the Fortinet Security Fabric, there is a new concept of a deep (complete) discovery, and shallow (light) discovery of FortiGate devices.
If you configure a FortiGate firewall with an API key, and configure that FortiGate in FortiSIEM for discovery, the complete information of that device, attached switches, and access points will be imported.
FortiSIEM will also look at attached security fabric devices, and do a light discovery of adjacent FortiGate firewalls only. This is considered a "light" discovery. This consists of basic information such as:
-
hostname
-
access IP (usually the management IP of the Firewall)
-
version
-
serial number
In order to get complete information about every firewall, you must configure an API key and directly discover each one within FortiSIEM.
Fortinet Security Fabric - Risk Rating Dashboard
For FortiGate firewalls with security fabric enabled, and is joined to a fabric, the root firewall appliance begins aggregating security risk data from all member devices for reporting display.
If you directly discover a FortiGate operating as the root firewall of the security fabric, you will also populate the Security Fabric - Security Rating report data into FortiSIEM. This will populate the dashboard found under the Dashboard Security Fabric -> Security Rating > Security Posture.
Note for Managed Security Service Providers (MSSPs): You must be in organization scope to see this dashboard.
The above screenshot shows an example of Security Fabrics security posture key details when the FortiGate Root Firewall in the fabric is discovered.
FortiGate User Device Store Discovery
FortiGate firewalls have a powerful repository of detected/fingerprinted devices that have passed through the Firewall, including devices running FortiClient and utilizing the Fortinet ZTNA architecture. If you directly discovery a firewall, FortiGate will populate the UEBA identity and location dashboard with seen devices, enabling FortiSIEM to make use of user and device relational mapping in your organization.
Note: The identity and location (UEBA) dashboard is auto populated with the FortiGate User/Device Store data during each discovery. This is used for event enrichment when data is missing from some events.
Additionally, if the device is running FortiClient, it will be discovered as unmanaged by default. You can later select endpoints of interest to mark as managed in FortiSIEM, consuming a device license.
Discovery of FortiClient devices provides the following (found under CMDB Devices -> Given device running FortiClient -> Summary -> Security Fabric Attributes.
-
A count of all vulnerabilities on this device (since last vulnerability scan via FortiClient), categorized by critical, high , medium, low, and informational.
-
Stored data about which EMS serial number it is registered to, its usage in certain remediation (automated response) scripts to tag/untag hosts in FortiEMS server.
-
Purdue Level of the device if FortiGate has assigned it.
-
FortiEMS tags associated with the host (e.g. tag suspicious, or tag critical_host) - See more information below about FortiSIEM's use of tags for SOAR remediations here.
For more information about data collected in the FortiGate Firewall User Device Store, please see the Device inventory topic in the FortiGate / FortiOS Administration Guide.
Setting Up FortiGate Firewall for REST API Communication via GUI
Setup Instructions:
Note on FortiGate REST API User permissions: If you just want to collect audit and performance data from a FortiGate, and no configuration backups, you can assign an admin profile with read only for all access controls. If however, you would like configuration backups via the REST API, certain write permissions are needed to accomplish this.
To collect config backups in addition to other data, take the following steps:
Section 1: Create Admin Profile (RBAC Role)
-
Login to FortiGate Firewall GUI.
-
Navigate to System > Admin Profiles, and select Create New.
-
In the Name field, enter the name the new profile, for example: "Read_Plus_Backup".
-
In the Access Permissions window, for Access Control, take the following steps.
-
Select Read for all Access Control except the following:
-
User & Device: Set control to Read/Write.
-
System > Administrator Users: Set control to Read/Write.
-
-
-
Optionally, if the firewall is a multi-vdom firewall, ensure the Scope option is set to "Global".
Note: Config backups per vdom is not supported at this time.
-
Click OK.
-
Section 2: Create Rest API User Account and Assign Admin Profile
Now define a REST API User account, and give it this new profile. Set any preferred IP restrictions (preferably restrict the account to the collector Source IP).
- On the FortiGate GUI, navigate to System > Administrators > Create New > REST API Admin.
- On the New REST API Admin dialog, enter the following information.
- In the Username field, enter a user name.
- (Optional) In the Comments field, enter any additional information about this account.
- In the Administrator Profile drop-down list, select the "Read_Plus_Backup" profile.
- Disable PKI Group.
- Enable CORS Allow Origin, and input
https://fndn.fortinet.net
. - In the Trusted Hosts field, enter a trusted host based off your source address. The Trusted Host must be specified to ensure that your local host can reach FortiGate. For example, to restrict requests as coming from only 10.20.100.99, enter "10.20.100.99/32". The Trusted Host is created from the Source Address. (From the FortiGate GUI, select the Status dashboard, navigate to <your-userid>, show active administrator sessions and copy the source address of your <your-userid>.
- Click OK and an API token will be generated. Copy the API token information as it is only shown once and cannot be retrieved. It will be needed for the Setup in FortiSIEM configuration.
- Click Close to complete the creation of the REST API Admin.
-
Configure FortiSIEM with the new REST API credential (See Configure FortiSIEM with FortiGate REST API Credentials).
Setting up FortiGate Firewall for REST API communication via CLI
To configure via the CLI, take the following steps.
Note: It is most ideal to restrict the user to only the source IP of the collector doing the discovery, in our example below our collector IP is 192.168.1.25. This allows the user to only authenticate to the Firewall via this source IP.
If you experience connectivity issues, you can temporarily remove the trusted host configuration, and test.
Collector -> FortiGate firewall on administrator port must be allowed inbound to Firewall.
*if multi-vdom, enter "config global" first.
Section 1: Create Admin Profile (RBAC Role)
Create an admin profile using the following:
config system accprofile edit "Read_Plus_Backup"
set scope global set secfabgrp read
set ftviewgrp read set authgrp read-write set sysgrp custom set netgrp read set loggrp read
set fwgrp read
set vpngrp read
set utmgrp read
set wanoptgrp read set wifi read
config sysgrp-permission set admin read-write
set upd read set cfg read set mnt read end next
end
Section 2: Create Rest API User Account and Assign Admin Profile
Now configure the user, using the following:
config system api-user edit "fortisiem_user" set accprofile "Read_Plus_Backup" set vdom "root" config trusthost edit 1 set ipv4-trusthost 192.168.1.25 255.255.255.255 next end next end
Now finally, generate the api key.
execute api-user generate-key fortisiem_user
Note the output API key and store in password management utility. This will be placed in FortiSIEM credential (Device Type: Fortinet FortiOS, Access Protocol: FORTIOS_REST_API).
Proceed to Configure FortiSIEM with FortiGate REST API Credentials.
Configure FortiSIEM with FortiGate REST API Credentials
FortiSIEM can process events from FortiGate via the FortiOS REST API. Obtain your token from FortiGate (see Setup in FortiGate) before proceeding.
Complete these steps in the FortiSIEM UI:
- Go to the ADMIN > Setup > Credentials tab.
- In Step 1: Enter Credentials:
- Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
- Enter these settings in the Access Method Definition dialog box:
Settings Description Name Enter a name for the credential. Device Type Fortinet FortiOS Access Protocol FORTIOS_REST_API Password config Manual Token Input the API token from the REST API User account. Confirm Token Input the same API token as above for verification. Description Description about the device.
- In Step 2: Enter IP Range to Credential Associations, click New.
- Enter the FortiGate IP address or IP range in the IP/Host Name field.
- Select the name of your credential from the Credentials drop-down list.
- Click Save.
- Click the Test drop-down list and select Test Connectivity to test the connection to FortiGate.
- Navigate to ADMIN > Setup > Discover > New.
- In the Discovery Definition window, take the following steps:
- In the Name field, enter a name for this device.
- In the Discovery Type drop-down list, select Range Scan.
- In the Include field, enter the FortiGate IP address.
- Click Save.
- Navigate to ADMIN > Setup > Discovery > Discover. Your devices will be added into CMDB and 3 jobs are added in Monitor Performance.
When configuration is complete, you can do the following.
To view your devices, go to CMDB > Devices.
If you discover a FortiGate firewall that has a number of FortiClient managed devices passing through it, as shown in the example screenshot here, you will discover those devices as unmanaged within the CMDB.
These FortiClient Devices in the CMDB now have additional attributes such as vulnerability counts, ZTNA tags, and purdue level assigned by the FortiGate as shown in the example screenshot below.
To see metrics for your devices, go to ADMIN > Setup > Monitor Performance.
To see received events, select ANALYTICS, then enter "PH_DEV_MON_FORTI" in the search box.
Configuring FortiGate to send Syslog to FortiSIEM
To configure FortiGate to send logs to FortiSIEM over Syslog, take the following steps either via the Web GUI or CLI.
-
Web GUI
-
CLI
With the Web GUI
-
Log in to your firewall as an administrator.
-
Go to Log & Report > Log Config > syslog.
-
Enter the following for your FortiSIEM virtual appliance:
-
IP Address
-
Port Number
-
Minimum Log Level and Facility
-
-
Make sure that CSV format is not selected.
With the CLI
-
Connect to the FortiGate firewall over SSH and log in.
-
To configure your firewall to send syslog over UDP, enter this command, replacing the IP address 192.168.53.2 with the IP address of your FortiSIEM virtual appliance.
config log syslogd setting
set status enable set server "192.168.53.2" set facility user
set port 514 end -
Verify the settings.
frontend # show log syslogd
setting config log syslogd setting set status enable set server "192.168.53.2" set facility user end
Sending Logs Over VPN
If you are sending these logs across a VPN, FortiGate will try to use the WAN interface for the source of all system traffic. You can change this by setting the source-ip option to the IP used on the FortiGate Internal/LAN interface.
SNMP Monitoring of FortiGate
Monitoring of a FortiGate for performance monitoring using SNMP is not typically required if using the FortiGate API for monitoring. If using FortiSIEM to monitor the interface and application usage, helpful for SDWAN monitoring, then a specific SNMP configuration will be required on the FortiGate, detailed in Interface Usage Dashboard in the FortiSIEM Online Help.
Configuring SNMP v1 or v2 on FortiGate
Follow these steps to configure SNMPv1 or v2 on FortiGate. For more information on configuring the FortiGate to allow detailed interface monitoring using SNMP, see Data Source in the FortiSIEM User’s Guide.
- Log in to your firewall as an administrator.
- Go to System > Network.
- Select the FortiGate interface IP that FortiSIEM will use to communicate with your device, and then click Edit.
- For Administrative Access, makes sure that SSH and SNMP are selected.
- Click OK.
- Go to System > Config > SNMP v1/v2c.
- Click Create New to enable the
public
community.
Configuring SNMP v3 on FortiGate
To configure SNMPv3 on a FortiGate Firewall and integrate it with FortiSIEM, take the following steps:
Setup for FortiGate
-
Allow SNMP traffic on inbound interface where FortiSIEM collector will reach FortiGate firewall.
-
Run the
show
command under the interface, then run "set allowaccess option1 option2 snmp", replacing the options with the preexisting values, adding snmp to the end.The following example has the FortiSIEM collector polling inbound on interface port 1.
config system interface
edit "port1"
show
set allowaccess snmp
end
config system snmp sysinfo
set status enable
set description "Description of device"
set contact-info "Optional contact info"
set location "Optional location info"
end
-
Replace the sha and aes passwords with your own, and for notify-hosts, enter the IP address of your FortiSIEM collector that will be polling the FortiGate unit.
config system snmp user
edit "fortisiem_user"
set status enable
set queries enable
set security-level auth-priv
set auth-proto sha
set auth-pwd "yourShaPassword1"
set priv-proto aes
set priv-pwd "yourAesPassword1"
set notify-hosts "192.168.1.2"
next
end
Setup in FortiSIEM
Complete these steps in the FortiSIEM UI:
- Go to the ADMIN > Setup > Credentials tab.
- In Step 1: Enter Credentials, click New to create a new credential.
- Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
- Enter these settings in the Access Method Definition dialog box:
Settings Description Name Enter a name for the credential. Device Type Generic Access Protocol SNMP v3 Security Level authPriv Security Name fortisiem_user or <your SNMPv3 username here> Auth Protocol SHA Auth Password
<your password>
Priv Protocol
AES
Priv Password
<your password>
Context
You can leave this field blank.
Description Optional, you can explain which devices this credential is used for.
- In Step 2: Enter IP Range to Credential Associations, click New to create a new mapping.
Note: If multiple collectors, use the collector drop-down list to select which collector will do the polling. If you have only 1 collector, no drop-down list will appear.- Enter a host name, an IP, or an IP range in the IP/Host Name field. You can add multiple IPs by using a comma as a separator, for example:
192.168.1.1,192.168.2.1,192.168.3.1 - Select the name of your credential from the Credentials drop-down list.
- Click Save.
- Enter a host name, an IP, or an IP range in the IP/Host Name field. You can add multiple IPs by using a comma as a separator, for example:
- Click the Test drop-down list and select Test Connectivity without Ping to test the connection. If it fails, ensure the firewall is configured correctly, that SNMP is allowed from the collector on UDP 161, and that the correct SNMPv3 user and password is being used.
- Click the Discovery tab. If there is more than one collector, select from the drop-down list the collector you'd like to do the polling.
-
In the include list, enter the same comma separated IP list as before.
-
Optionally, you can disable ICMP alive check by selecting Options > Do not ping before discovery.
-
Click Save.
-
Select the new discovery, and click Discover. Wait for it to finish, or click run in background.
-
Click the CMDB tab, and confirm that the devices are discovered via SNMP.
Configuring SSH on FortiSIEM to communicate with FortiGate
FortiSIEM Collector SSH Client, when communicating to FortiGate via SSH, may use the public key authentication method first. This may fail and create some alerts in FortiGate. To prevent this, modify the per user config file as follows:
Alternatively, modify the
|
SSH Credentials are not normally necessary if using the FortiGate API discovery method, as the FortiGate configuration can also be monitored via the API. You may wish to use the SSH credential for some remediation actions such as “Block Source IP FortiOS 7.x via SSH” and “Block Source MAC FortiOS 7.x via SSH”. See Remediations in the FortiSIEM Online Help for more information. FortiGate remediation action “Block Source IP FortiOS 7.x via FortiOS API” can also be performed via API.
These commands are used for discovery and performance monitoring via SSH. Please make sure that the access credentials you provide in FortiSIEM have the permissions necessary to execute these commands on the device.
show firewall address
show full-configuration
Configuring FortiSIEM for SNMP and SSH access to FortiGate
You can now configure FortiSIEM to communicate with your device by following the instructions in the User Guide > Section: Configuring FortiSIEM > Discovering Infrastructure > Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics under Discovering Infrastructure.
Configuring FortiAnalyzer to send logs to FortiSIEM
If you are already sending FortiGate logs to FortiAnalyzer, then you can forward those logs to FortiSIEM by configuring FortiAnalyzer as follows:
Setting Up the Syslog Server
- Login to FortiAnalyzer.
- Go to System Settings > Advanced > Syslog Server.
- Click the Create New button.
- Enter the Name. (It is recommended to use the name of the FortiSIEM server.)
- Fill in the IP address (or FQDN) with the IP or a fully qualified name of the FortiSIEM server.
- Leave the Syslog Server Port to the default value '514'.
- Click OK to save your entries.
Pre-Configuration for Log Forwarding
To configure FortiAnalyzer event forwarding to FortiSIEM, you must first set up the following.
-
1. Install a FortiSIEM collector in the same subnet as FortiAnalyzer that will be forwarding the events.
Note: The same subnet request is required as FortiAnalyzer will later be configured to spoof packets to the collector. RPF (reverse path forwarding checks) on network equipment would have to be disabled if FortiAnalyzer and collector existed on different subnets. -
2. It is recommended that for every 5,000 EPS (events per second) ingested, you add 1 collector that is 8vCPU, 8GB RAM. If you have more than 5,000 EPS forwarding from FortiAnalyzer, please set up a load balancer with multiple collectors behind it, allowing UDP 514 inbound.
Configuring Log Forwarding
Take the following steps to configure log forwarding on FortiAnalyzer.
-
Go to System Settings > Log Forwarding.
-
Click the Create New button in the toolbar. The Create New Log Forwarding pane opens.
-
fill in the information as per the below table, then click OK to create the new log forwarding. The FortiAnalyzer device will start forwarding logs to the server.
Field Input Name FortiSIEM-Forwarding Status On Remote Server Type Syslog Compression OFF Sending Frequency Real-time Log Forwarding Filters
Select all desired Administrative Domains (ADOMs) / device logs you’d like to forward
-
Go to the CLI Console and configure the CLI only log forward option by running the following CLI commands.
Notes:-
Logs received by FortiAnalyzer, and then forwarded to FortiSIEM, have the source IP of the log packet overwritten with the IP address of the FortiAnalyzer appliance. This hides the “true” source of the log packet from FortiSIEM. To override this behavior, FortiAnalyzer can spoof the original log sender's IP address when forwarding to FortiSIEM. This allows FortiSIEM collectors to receive all the original information as if it received the logs directly from the originating device.
-
For FortiAnalyzer versions 6.0 and later, use the following CLI:
Notes:Replace <id> with the actual name of the log forward created earlier.
You can run "
set server-name...
" or "set server-ip...
". Fortinet recommends usingset server-ip "a.b.c.d"
, so you do not require name resolution of the Collector.config system log-forward edit <id> set mode forwarding set fwd-max-delay realtime set server-name "<FSM_Collector>" set server-ip "a.b.c.d" set fwd-log-source-ip original_ip set fwd-server-type syslog next end
-
For FortiAnalyzer versions 5.6 to 5.9, use the following CLI:
Note: Replace <id> with the actual name of the log forward created earlier.config system log-forward
edit <id>
set mode forwarding
set fwd-max-delay realtime
set server-ip "a.b.c.d"
set fwd-log-source-ip original_ip
set fwd-server-type syslog
next
end
-
For FortiAnalyzer versions earlier than 5.6, use the following CLI:
Note: For <id>, you can choose the number for your FortiSIEM syslog entry.config system aggregation-client
edit <id>
set fwd-log-source-ip original_ip
end
Configuring FortiSIEM Collector to Receive Logs from FortiAnalyzer
To configure the FortiSIEM collector to receive logs from FortiAnalyzer, you will need to disable RPF checks that would normally cause the collector virtual machine from dropping the log packet as it is spoofed.
sysctl -w net.ipv4.conf.all.rp_filter=0
To make this change persistent across reboots, add the following code to the
/etc/sysctl.conf
file.net.ipv4.conf.all.rp_filter=0
-
Configuring FortiGate to send Netflow via CLI
- Connect to the Fortigate firewall over SSH and log in.
- To configure your firewall to send Netflow over UDP, enter the following commands:
config system netflow
set collector-ip <FortiSIEM IP>
set collector-port 2055
end
- Enable Netflow on the appropriate interfaces, replacing port1 with your interface name:
config system interface
edit port1
set netflow-sampler both
end
- Optional - Using Netflow with VDOMs
For VDOM environments, excluding the management VDOM, Netflow must be configured using the following CLI commands:con global
con sys netflow
set collector-ip <FortiSIEM IP>
set collector-port 2055
set source-ip <source-ip>
end
end
con vdom
edit root (
root
is an example, change to the required VDOM name.)con sys interface
edit wan1 (change the interface to the one to use.)
set netflow-sampler both
end
end
Configuring FortiGate to send Application names in Netflow via GUI
- Login to FortiGate.
- Go to Policy & Objects > IPv4 Policy.
- Click on the Policy IDs you wish to receive application information from.
- Add SSL inspection and App Control on the policy by clicking the + button in the Security Profiles column.
Example of FortiGate Syslog parsed by FortiSIEM
<185>date=2010-04-11 time=20:31:25 devname=APS3012404200944 device_id=APS3012404200944 log_id=0104032002 type=event subtype=admin pri=alert vd=root user="root" ui=ssh(10.1.20.21) action=login status=failed reason="name_invalid"msg="Administrator root login failed from ssh(10.1.20.21) because of invalid user name"