Fortinet FortiGate Firewall

Support Added: FortiSIEM 4.7.2

Last Modification: FortiSIEM 7.0.0

Vendor: Fortinet

Product Information: https://www.fortinet.com/products/next-generation-firewall

Supported Versions

FortiGate 7.4.2

Integration Overview

FortiSIEM offers multiple ways to monitor FortiGate firewalls using REST API discovery, Syslog, Netflow, SNMP, or SSH. REST API FortiGate Fabric Discovery features are only available if the FortiGate is a standalone fabric root firewall, or is a member of a FortiGate fabric.

Protocol	Information Discovered	Metrics collected	Used for
REST API	Host name, Model, Version, Interfaces, Serial Number, FortiAP and FortiSwitch managed by FortiGate.	Uptime, CPU, Memory and Disk utilization, Network Interface metrics, VPN metrics, Firewall Connection metrics FortiGate Security Fabric Topology - Adjacent firewall Host name, Model, Version, Serial Number. Fortinet Security Fabric - Risk Rating FortiGate User Store Discovery - Discover FortiClient installed hosts passing through Firewalls.	Performance and Availability Monitoring
Syslog	Device type	All traffic, system logs, IPS events	Availability, Security and Compliance
Netflow		Firewall traffic, application detection and application link usage metrics	Security monitoring and compliance, Firewall Link Usage and Application monitoring
SNMP	Host name, Hardware model, Network interfaces, Operating system version	Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths). For 5xxx series firewalls, per CPU utilization (event PH_DEV_MON_FORTINET_PROCESSOR_USGE)	Availability and Performance Monitoring
SSH	Running configuration	Configuration Change	Performance Monitoring, Security and Compliance

Recommended Integration

For most use cases and integration needs, using the FortiGate REST API and Syslog integration will collect the necessary performance, configuration and security information.

If a FortiAnalyzer is receiving FortiGate logs, alternatively forward syslog from the FortiAnalyzer to FortiSIEM. Do not forward logs from both FortiGate and FortiAnalyzer to FortiSIEM as this will case duplicate events to be received by FortiSIEM (one from FortiGate and another from FortiAnalyzer).

This document covers the following topics:

• Configuring FortiGate REST API Integration
• Configuring Syslog Integration
• Configuring Netflow Integration
• Configuring SNMP Integration
• Configuring SSH Based Integration
• Configuring FortiAnalyzer to Send Logs to FortiSIEM

Configuring FortiGate REST API Integration

• Configuring FortiGate via GUI

• Configuring FortiGate via CLI

• Configuring FortiSIEM

• Important REST API Integration Events

• Rest API Integration Results

Configuring FortiGate via GUI

• Step 1: Create Admin Profile (RBAC Role)

• Step 2: Create Rest API User Account and Assign Admin Profile

Note on FortiGate REST API User Permissions: If you just want to collect audit and performance data from a FortiGate, and no configuration backups, you can assign an admin profile with read only for all access controls. If however, you would like configuration backups via the REST API, certain write permissions are needed to accomplish this.

To collect config backups in addition to other data, take the following steps:

Step 1: Create Admin Profile (RBAC Role)

1. Login to FortiGate Firewall GUI.

2. Navigate to System > Admin Profiles, and select Create New.

   1. In the Name field, enter the name the new profile, for example: "Read_Plus_Backup".

   2. In the Access Permissions window, for Access Control, take the following steps.

      1. Select Read for all Access Control except the following:

         • User & Device: Set control to Read/Write.

         • System > Administrator Users: Set control to Read/Write.
           

           Note on the two required Write Permissions: User & Device: Required for remediation scripts to quarantine/ban an IP/User/Device on the firewall. System >Administrator Users : Required to allow configuration backups via API. This is because FortiOS considers the API user an Administrator if you have the ability to read configurations with password hashes, certificate info, and other sensitive data.

   3. Optionally, if the firewall is a multi-vdom firewall, ensure the Scope option is set to "Global".

      Note: Config backups per vdom is not supported at this time.
      

      

   4. Click OK.

Step 2: Create Rest API User Account and Assign Admin Profile

Now define a REST API User account, and give it this new profile. Set any preferred IP restrictions (preferably restrict the account to the collector Source IP).

1. On the FortiGate GUI, navigate to System > Administrators > Create New > REST API Admin.
2. On the New REST API Admin dialog, enter the following information.
   1. In the Username field, enter a user name.
   2. (Optional) In the Comments field, enter any additional information about this account.
   3. In the Administrator Profile drop-down list, select the "Read_Plus_Backup" profile.
   4. Disable PKI Group.
   5. Disable CORS by setting the toggle CORS Allow Origin to off.
      
   6. In the Trusted Hosts field, enter a trusted host based off your source address. The Trusted Host must be specified to ensure that your local host can reach FortiGate. For example, to restrict requests as coming from only 10.20.100.99, enter "10.20.100.99/32". The Trusted Host is created from the Source Address. (From the FortiGate GUI, select the Status dashboard, navigate to <your-userid>, show active administrator sessions and copy the source address of your <your-userid>.
      
   7. Click OK and an API token will be generated. Copy the API token information as it is only shown once and cannot be retrieved. It will be needed for the Setup in FortiSIEM configuration.
   8. Click Close to complete the creation of the REST API Admin.

1. Proceed to Configuring FortiSIEM using the new REST API credential.

Configuring FortiGate via CLI

• Step 1: Create Admin Profile (RBAC Role)

• Step 2: Create Rest API User Account and Assign Admin Profile

To configure via the CLI, take the following steps.

Note:

1. It is most ideal to restrict the user to only the source IP of the collector doing the discovery, in our example below our collector IP is 192.168.1.25. This allows the user to only authenticate to the Firewall via this source IP.

2. If you experience connectivity issues, you can temporarily remove the trusted host configuration, and test.

3. Collector -> FortiGate firewall on administrator port must be allowed inbound to Firewall.

4. If multi-vdom, enter "config global" first.

Step 1: Create Admin Profile (RBAC Role)

Create an admin profile using the following:

config system accprofile
    edit "Read_Plus_Backup"
        set scope global
        set secfabgrp read
        set ftviewgrp read
        set authgrp read-write
        set sysgrp custom
        set netgrp read
        set loggrp read
        set fwgrp read
        set vpngrp read
        set utmgrp read
        set wanoptgrp read
        set wifi read
        config sysgrp-permission
            set admin read-write
            set upd read
            set cfg read
            set mnt read
        end
    next
end

Step 2: Create Rest API User Account and Assign Admin Profile

Now configure the user, using the following:

config system api-user
    edit "fortisiem_user"
        set accprofile "Read_Plus_Backup"
        set vdom "root"
        config trusthost
            edit 1
                set ipv4-trusthost 192.168.1.25 255.255.255.255
            next
        end
    next
end

Now finally, generate the api key.

execute api-user generate-key fortisiem_user

Note the output API key and store in password management utility. This will be placed in FortiSIEM credential (Device Type: Fortinet FortiOS, Access Protocol: FORTIOS_REST_API).

Configuring FortiSIEM

Obtain your token from FortiGate (see Configuring FortiGate via GUI or Configuring FortiGate via CLI) before proceeding.

Complete these steps in the FortiSIEM UI:

1. Go to the ADMIN > Setup > Credentials tab.
2. In Step 1: Enter Credentials:
   1. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential.
   2. Enter these settings in the Access Method Definition dialog box:

      Settings	Description
      Name	Enter a name for the credential.
      Device Type	Fortinet FortiOS
      Access Protocol	FORTIOS_REST_API
      Password config	Manual
      Token	Input the API token from the REST API User account.
      Confirm Token	Input the same API token as above for verification.
      Description	Description about the device.

3. In Step 2: Enter IP Range to Credential Associations, click New.
   1. Enter the FortiGate IP address or IP range in the IP/Host Name field.
   2. Select the name of your credential from the Credentials drop-down list.
   3. Click Save.
4. Click the Test drop-down list and select Test Connectivity to test the connection to FortiGate.
5. Navigate to ADMIN > Setup > Discover > New.
6. In the Discovery Definition window, take the following steps:
   1. In the Name field, enter a name for this device.
   2. In the Discovery Type drop-down list, select Range Scan.
   3. In the Include field, enter the FortiGate IP address.
   4. Click Save.
7. Navigate to ADMIN > Setup > Discovery > Discover. Your devices will be added into CMDB and 3 jobs are added in Monitor Performance.

Important REST API Integration Events

Type	Event Type	Description
Performance Monitoring	PH_DEV_MON_SYS_UPTIME	System uptime for a device
	PH_DEV_MON_SYS_CPU_UTIL	System CPU Utilization for a device
	PH_DEV_MON_SYS_MEM_UTIL	System memory Utilization stats for a device
	PH_DEV_MON_SYS_DISK_UTIL	Disk Utilization stats for a device
	PH_DEV_MON_NET_INTF_UTIL	Network Interface utilization stats for a device
	PH_DEV_MON_VPN_STATUS	VPN Statistics
	PH_DEV_MON_FW_CONN_UTIL	Firewall Connection Statistics
User Discovery	PH_DEV_MON_FGT_USER_INFO	FortiClient User Device Information seen by FortiGate
Security Posture Discovery	PH_DEV_MON_FGT_SEC_POSTURE_DETAILS	Per device audit details done by FortiGate Security Posture Analysis
	PH_DEV_MON_FGT_SEC_POSTURE_PER_DEVICE_STATS	Per Device Stats done by FortiGate Security Posture Analysis
	PH_DEV_MON_FGT_SEC_POSTURE_PER_CATEGORY_STATS	Per Category Security Stats done by FortiGate Security Posture Analysis
	PH_DEV_MON_FGT_SEC_POSTURE_PER_CATEGORY_GRADE	Per Category Security Posture Letter Grade done by FortiGate Security Posture Analysis
	PH_DEV_MON_FGT_SEC_POSTURE_FABRIC_GRADE	Overall Security Posture Letter Grade done by FortiGate Security Posture Analysis
	PH_DEV_MON_FGT_SEC_POSTURE_DETECTED_ENDPOINTS	Endpoint OS Types detected by FortiGate Security Posture Analysis

Rest API Integration Results

Once you discover a FortiGate firewall using REST API:

• The discovered firewall is discovered in depth and appears in CMDB > Devices > Firewalls.

• Other devices in the Security fabric are discovered partially - including a few parameters like hostname, access IP (usually the management IP of the Firewall), OS version and serial number. These devices include other Firewalls, attached switches and access points. They all appear in CMDB > Devices in their respective groups.

• FortiClient enabled user devices passing through the discovered firewall are discovered and they appear in Dashboard > Identity Location. Information includes Host name, IP, MAC, User and attached FortiGate device.

• Performance monitoring is done for the discovered firewall.

If you discover the root FortiGate firewall, then the Security Posture information is available and shown in the Dashboard > Fortinet Security Fabric > Security Posture Dashboard.

The recommended setting would be to do the REST API based discovery individually for each FortiGate firewall in the Security fabric.

Configuring Syslog Integration

To configure FortiGate to send logs to FortiSIEM over Syslog, take the following steps either via the Web GUI or CLI.

• Web GUI

• CLI

With the Web GUI

1. Log in to your firewall as an administrator.

2. Go to Log & Report > Log Config > syslog.

3. Enter the following for your FortiSIEM virtual appliance:
   

   • IP Address

   • Port Number

   • Minimum Log Level and Facility

4. Make sure that CSV format is not selected.

With the CLI

1. Connect to the FortiGate firewall over SSH and log in.

2. To configure your firewall to send syslog over UDP, enter this command, replacing the IP address 192.168.53.2 with the IP address of your FortiSIEM virtual appliance.
   

   config log syslogd setting
       set status enable
       set server "192.168.53.2"
       set facility user 
       set port 514
   end
   

3. Verify the settings.
   

   frontend # show log syslogd 
   setting config log syslogd setting
       set status enable
       set server "192.168.53.2"
       set facility user
   end
   

Sending Logs Over VPN

If you are sending these logs across a VPN, FortiGate will try to use the WAN interface for the source of all system traffic. You can change this by setting the source-ip option to the IP used on the FortiGate Internal/LAN interface.

On FortiSIEM, no configuration is needed.

Important Syslog Integration Events

Type	Event Type	Description
Malware	FortiGate-dns-botnet-domain	Domain blocked by DNS botnet C&C (Domain)
	FortiGate-dns-botnet-ip	Domain blocked by DNS botnet C&C (IP)
	FortiGate-antivirus-botnet	FortiGate antivirus botnet
	FortiGate-antivirus-file-blocked	Outbreak prevention blocked an infected file
	FortiGate-antivirus-file-infect	FortiGate antivirus file infect
	FortiGate-antivirus-file-infect-mime	FortiGate antivirus file infect mime
DNS Traffic	FortiGate-dns-query	DNS query message
	FortiGate-dns-resolv-error	DNS resolution error message
	FortiGate-dns-ftgd-cat-allow	Domain is monitored
	FortiGate-dns-ftgd-cat-block	System CPU Utilization for a device
Web filter	FortiGate-webfilter-allow	Web filter traffic allowed
	FortiGate-webfilter-blacklist-urlblock	Blacklisted web traffic blocked
	FortiGate-webfilter-block	Web filter traffic blocked
Application Detection	FortiGate-appctrl-*	FortiGate Application Control detection
Network Traffic	FortiGate-traffic-allowed	Permitted traffic
	FortiGate-traffic-denied	Denied traffic
Network Admission Control	FortiGate-event-nac-anomaly-quarantine	NAC anomaly quarantine
	FortiGate-event-nac-quarantine	NAC quarantine
	FortiGate-event-nac-quarantined-ban-ip	NAC module quarantined a host by blocking IP
Login	FortiGate-event-admin-login-success	Admin login successful
	FortiGate-event-admin-login-fail	Admin login failed
	FortiGate-event-login-failure	Failed admin logon
	FortiGate-event-login-success	Successful admin logon
DHCP	FortiGate-event-DHCP-response-Offer	DHCP Offer message
	FortiGate-event-device-upgrade-succeeded	Microsoft IIS performance metrics
Wireless	FortiGate-event-wireless-rogue-detect	Rogue AP detected
	FortiGate-event-wireless-rogue-offair	Rogue AP off wire
DLP	FortiGate-dlp-leak-detected	A data leak was detected by a specified DLP sensor rule
System	FortiGate-event-shutdown	Device shutdown
	FortiGate-event-sys-restart	Scheduled daily reboot started
	FortiGate-event-system-start	FortiGate started
	FortiGate-event-temp-too-high	Temperature too high
	FortiGate-event-temp-too-low	Temperature too low
	FortiGate-fnTrapTempHigh	A temperature sensor on the device has exceeded its threshold
	FortiGate-event-fan-anom	Fan anomaly
	FortiGate-event-power-redundancy-degrade	Power Supply Redundancy Degrade
	FortiGate-event-power-redundancy-failure	Power Supply Redundancy Lost
	FortiGate-ConfigChange-Interface-Down	FortiGate user changed interface status to down
	FortiGate-ConfigChange-Interface-Up	FortiGate user changed interface status to up
Config Change	FortiGate-event-config-change	Configuration changed in admin session
IPS detections	FortiGate-ips-signature-<id>	FortiGate signatures

Configuring Netflow Integration

• Step 1: Configure FortiGate via CLI

• Step 2: Configure FortiGate via GUI

Step 1: Configure FortiGate via CLI

1. Connect to the FortiGate firewall over SSH and log in.
2. To configure your firewall to send Netflow over UDP, enter the following commands:
   

   config system netflow

   set collector-ip <FortiSIEM IP>

   set collector-port 2055

   end

3. Enable Netflow on the appropriate interfaces, replacing port1 with your interface name:

   config system interface

   edit port1

   set netflow-sampler both

   end

4. Optional - Using Netflow with VDOMs
   For VDOM environments, excluding the management VDOM, Netflow must be configured using the following CLI commands:

   con global

   con sys netflow

   set collector-ip <FortiSIEM IP>

   set collector-port 2055

   set source-ip <source-ip>

   end

   end

   con vdom

   edit root (root is an example, change to the required VDOM name.)

   con sys interface

   edit wan1 (change the interface to the one to use.)

   set netflow-sampler both

   end

   end

Step 2: Configure FortiGate via GUI

1. Login to FortiGate.
2. Go to Policy & Objects > IPv4 Policy.
3. Click on the Policy IDs you wish to receive application information from.
4. Add SSL inspection and App Control on the policy by clicking the + button in the Security Profiles column.

On FortiSIEM side, no configuration is needed.

Important Netflow Integration Events

Type	Event Type	Description
Netflow	FortiGate-NetFlow	FortiGate Netflow traffic

Configuring SNMP Integration

Monitoring of a FortiGate for performance monitoring using SNMP is not typically required if using the FortiGate API for monitoring. If using FortiSIEM to monitor the interface and application usage, helpful for SDWAN monitoring, then a specific SNMP configuration will be required on the FortiGate, detailed in Interface Usage Dashboard in the FortiSIEM Online Help.

• Configuring SNMP v1 or v2 on FortiGate

• Configuring SNMP v3 on FortiGate

• Configuring FortiSIEM

Configuring SNMP v1 or v2 on FortiGate

Follow these steps to configure SNMPv1 or v2 on FortiGate. For more information on configuring the FortiGate to allow detailed interface monitoring using SNMP, see Data Source in the FortiSIEM User's Guide.

1. Log in to your firewall as an administrator.
2. Go to System > Network.
3. Select the FortiGate interface IP that FortiSIEM will use to communicate with your device, and then click Edit.
4. For Administrative Access, makes sure that SSH and SNMP are selected.
5. Click OK.
6. Go to System > Config > SNMP v1/v2c.
7. Click Create New to enable the public community.

Configuring SNMP v3 on FortiGate

To configure SNMPv3 on a FortiGate Firewall and integrate it with FortiSIEM, take the following steps:

1. Allow SNMP traffic on inbound interface where FortiSIEM collector will reach FortiGate firewall.

2. Run the show command under the interface, then run "set allowaccess option1 option2 snmp", replacing the options with the preexisting values, adding snmp to the end.

   The following example has the FortiSIEM collector polling inbound on interface port 1.

   config system interface

   edit "port1"

    show

    set allowaccess snmp

   end

   config system snmp sysinfo

    set status enable

    set description "Description of device"

    set contact-info "Optional contact info"

    set location "Optional location info"

   end

3. Replace the sha and aes passwords with your own, and for notify-hosts, enter the IP address of your FortiSIEM collector that will be polling the FortiGate unit.

   config system snmp user

   edit "fortisiem_user"

    set status enable

    set queries enable

    set security-level auth-priv

    set auth-proto sha

    set auth-pwd "yourShaPassword1"

    set priv-proto aes

    set priv-pwd "yourAesPassword1"

    set notify-hosts "192.168.1.2"

    next

   end

Configuring SNMP on FortiSIEM

Complete these steps in the FortiSIEM GUI:

1. Go to the Admin > Setup > Credentials tab.
2. In Step 1: Enter Credentials, click New to create a new credential.
   1. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential.
   2. For SNMP v3, enter these settings in the Access Method Definition dialog box:

      Settings	Description
      Name	Enter a name for the credential.
      Device Type	Generic
      Access Protocol	SNMP v3
      Security Level	authPriv
      Security Name	fortisiem_user or <your SNMPv3 username here>
      Auth Protocol	SHA
      Auth Password	<your password>
      Priv Protocol	AES
      Priv Password	<your password>
      Context	You can leave this field blank.
      Description	Optional, you can explain which devices this credential is used for.

   3. For SNMP V1 or V2, enter these settings in the Access Method Definition dialog box:
      

      Settings	Description
      Name	Enter a name for the credential.
      Device Type	Generic
      Access Protocol	SNMP
      Community String / Confirm Community String	<the community string>
      Description	Optional, you can explain which devices this credential is used for.

3. In Step 2: Enter IP Range to Credential Associations, click New to create a new mapping.
   Note: If multiple collectors, use the collector drop-down list to select which collector will do the polling. If you have only 1 collector, no drop-down list will appear.
   
   1. Enter a host name, an IP, or an IP range in the IP/Host Name field. You can add multiple IPs by using a comma as a separator, for example:
      192.168.1.1,192.168.2.1,192.168.3.1
      
   2. Select the name of your credential from the Credentials drop-down list.
   3. Click Save.
   
   
4. Click the Test drop-down list and select Test Connectivity without Ping to test the connection. If it fails, ensure the firewall is configured correctly, that SNMP is allowed from the collector on UDP 161, and that the correct SNMPv3 user and password is being used.
5. Click the Discovery tab. If there is more than one collector, select from the drop-down list the collector you'd like to do the polling.

6. In the include list, enter the same comma separated IP list as before.

7. Optionally, you can disable ICMP alive check by selecting Options > Do not ping before discovery.

8. Click Save.

9. Select the new discovery, and click Discover. Wait for it to finish, or click run in background.

10. Click the CMDB tab, and confirm that the devices are discovered via SNMP.

Important SNMP Integration Events

Type	Event Type	Description
Performance Monitoring	PH_DEV_MON_SYS_UPTIME	System uptime for a device
	PH_DEV_MON_SYS_CPU_UTIL	System CPU Utilization for a device
	PH_DEV_MON_SYS_MEM_UTIL	System memory Utilization stats for a device
	PH_DEV_MON_SYS_DISK_UTIL	Disk Utilization stats for a device
	PH_DEV_MON_NET_INTF_UTIL	Network Interface utilization stats for a device
	PH_DEV_MON_FORTINET_QOS	Fortinet QoS metrics
	PH_DEV_MON_FORTIGATE_PERF	FortiGate performance
	PH_DEV_MON_FORTIGATE_INTF_UTIL	FortiGate interface performance
	PH_DEV_MON_AUTH_STATS	FortiGate Authentication statistics

Configuring SSH Based Integration

Configuring SSH on FortiGate

FortiSIEM Collector SSH Client, when communicating to FortiGate via SSH, may use the public key authentication method first. This may fail and create some alerts in FortiGate. To prevent this, modify the per user config file as follows: Log in to the FortiSIEM node that communicates to FortiGate via SSH, as admin. Open /opt/phoenix/bin/.ssh/config and create a new file, if necessary. Add these two lines and save: PreferredAuthentications password PubkeyAuthentication no Ensure that the owner is admin: chown admin.admin /opt/phoenix/bin/.ssh/config chmod 600 /opt/phoenix/bin/.ssh/config Verify using the commands: su admin ssh -v <fgt host> Verification is successful if the following files are found: Alternatively, modify the global ssh_config file as below. Since this is a global configuration, all programs will use this setting. Log in to a FortiSIEM node that communicates to FortiGate via SSH, as root. Open /etc/ssh/ssh_config Add these two lines: PreferredAuthentications password PubkeyAuthentication no

SSH Credentials are not normally necessary if using the FortiGate API discovery method, as the FortiGate configuration can also be monitored via the API. You may wish to use the SSH credential for some remediation actions such as "Block Source IP FortiOS 7.x via SSH" and "Block Source MAC FortiOS 7.x via SSH". See Remediations in the FortiSIEM Online Help for more information. FortiGate remediation action "Block Source IP FortiOS 7.x via FortiOS API" can also be performed via API.

These commands are used for discovery and performance monitoring via SSH. Please make sure that the access credentials you provide in FortiSIEM have the permissions necessary to execute these commands on the device.

show firewall address

show full-configuration

Configuring SSH on FortiSIEM

Complete these steps in the FortiSIEM GUI:

1. Go to the Admin > Setup > Credentials tab.
2. In Step 1: Enter Credentials, click New to create a new credential.
   1. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential.
   2. For SSH, enter these settings in the Access Method Definition dialog box:

      Settings	Description
      Name	Enter a name for the credential.
      Device Type	Generic
      Access Protocol	SSH
      Security Level	authPriv
      User Name	A user who has access credentials for your device over SSH
      Password	The password for the user
      Description	Optional, you can explain which devices this credential is used for.

Important SSH Integration Events

Type	Event Type	Description
Configuration Collection and Change Detection	PH_DEV_MON_CHANGE_RUN_CONFIG	Running config changed
	PH_DEV_MON_CHANGE_STARTUP_CONFIG	Startup config changed
	PH_DEV_MON_SYS_PER_CPU_UTIL	Per-process CPU Utilization

Configuring FortiAnalyzer to Send Logs to FortiSIEM

If you are already sending FortiGate logs to FortiAnalyzer, then you can forward those logs to FortiSIEM by configuring FortiAnalyzer as follows:

• Setting Up the Syslog Server

• Pre-Configuration for Log Forwarding

• Configuring Log Forwarding

• Configuring FortiSIEM Collector to Receive Logs from FortiAnalyzer

Setting Up the Syslog Server

1. Login to FortiAnalyzer.
2. Go to System Settings > Advanced > Syslog Server.
   1. Click the Create New button.
   2. Enter the Name. (It is recommended to use the name of the FortiSIEM server.)
   3. Fill in the IP address (or FQDN) with the IP or a fully qualified name of the FortiSIEM server.
   4. Leave the Syslog Server Port to the default value '514'.
   5. Click OK to save your entries.

Pre-Configuration for Log Forwarding

To configure FortiAnalyzer event forwarding to FortiSIEM, you must first set up the following.

1. 1. Install a FortiSIEM collector in the same subnet as FortiAnalyzer that will be forwarding the events.
   Note: The same subnet request is required as FortiAnalyzer will later be configured to spoof packets to the collector. RPF (reverse path forwarding checks) on network equipment would have to be disabled if FortiAnalyzer and collector existed on different subnets.

2. 2. It is recommended that for every 5,000 EPS (events per second) ingested, you add 1 collector that is 8vCPU, 8GB RAM. If you have more than 5,000 EPS forwarding from FortiAnalyzer, please set up a load balancer with multiple collectors behind it, allowing UDP 514 inbound.

Configuring Log Forwarding

Take the following steps to configure log forwarding on FortiAnalyzer.

1. Go to System Settings > Log Forwarding.

2. Click the Create New button in the toolbar. The Create New Log Forwarding pane opens.

3. fill in the information as per the below table, then click OK to create the new log forwarding. The FortiAnalyzer device will start forwarding logs to the server.
   

   Field	Input
   Name	FortiSIEM-Forwarding
   Status	On
   Remote Server Type	Syslog
   Compression	OFF
   Sending Frequency	Real-time
   Log Forwarding Filters	Select all desired Administrative Domains (ADOMs) / device logs you’d like to forward

4. Go to the CLI Console and configure the CLI only log forward option by running the following CLI commands.
   Notes:

   • Logs received by FortiAnalyzer, and then forwarded to FortiSIEM, have the source IP of the log packet overwritten with the IP address of the FortiAnalyzer appliance. This hides the "true" source of the log packet from FortiSIEM. To override this behavior, FortiAnalyzer can spoof the original log sender's IP address when forwarding to FortiSIEM. This allows FortiSIEM collectors to receive all the original information as if it received the logs directly from the originating device.

   • For FortiAnalyzer versions 6.0 and later, use the following CLI:
     Notes:

     Replace <id> with the actual name of the log forward created earlier.

     You can run "set server-name..." or "set server-ip...". Fortinet recommends using set server-ip "a.b.c.d", so you do not require name resolution of the Collector.

     config system log-forward
         edit <id>
             set mode forwarding
             set fwd-max-delay realtime
             set server-name "<FortiSIEM_Collector>"   
             set server-ip "a.b.c.d"
             set fwd-log-source-ip original_ip
             set fwd-server-type syslog
         next
     end

   • For FortiAnalyzer versions 5.6 to 5.9, use the following CLI:
     Note: Replace <id> with the actual name of the log forward created earlier.

     config system log-forward

       edit <id>

        set mode forwarding

        set fwd-max-delay realtime

        set server-ip "a.b.c.d"

        set fwd-log-source-ip original_ip

        set fwd-server-type syslog

      next

     end
     

   • For FortiAnalyzer versions earlier than 5.6, use the following CLI:
     Note: For <id>, you can choose the number for your FortiSIEM syslog entry.
     

     config system aggregation-client

       edit <id> 

         set fwd-log-source-ip original_ip

     end

   Configuring FortiSIEM Collector to Receive Logs from FortiAnalyzer

   To configure the FortiSIEM collector to receive logs from FortiAnalyzer, you will need to disable RPF checks that would normally cause the collector virtual machine from dropping the log packet as it is spoofed.

   sysctl -w net.ipv4.conf.all.rp_filter=0

   To make this change persistent across reboots, add the following code to the /etc/sysctl.conf file.

   net.ipv4.conf.all.rp_filter=0