Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 7.5.1
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    User Guide

    Home FortiSIEM 7.5.1 User Guide
    7.5.1
    7.5.1
    7.5.0
    7.4.2
    7.4.1
    7.4.0
    7.3.5
    7.3.4
    7.3.3
    7.3.2
    7.3.1
    7.3.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.9
    7.1.8
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    4.10.0
    4.9.0
    4.8.1
    4.7.2

    Event Forwarding

    Event Forwarding

    In systems management, many servers may need access to forward logs, traps and NetFlows from network devices and servers, but it is often resource intensive for network devices and servers to forward logs, traps and NetFlows to multiple destinations. For example, most Cisco routers can forward NetFlow to two locations at most. However, FortiSIEM can forward/relay specific logs, traps and NetFlows to one or more destinations. A Super, Worker or Collector can forward events - the one which receives and parses the event forwards it. If you want to send a log to multiple destinations, you can send it to FortiSIEM, which will use an event forwarding rule to send it to the desired locations. If you only want the workers (or super) to forward events, after this configuration, see Event Forwarding by Worker.

    1. Go to Admin > Settings > Event Pipeline > Forwarding tab.
    2. Click +.
    3. Select the Organization for which the rule will apply.
    4. Click the drop-down next to Reporting Device and browse the folders to find the group of devices, or a specific device for which you must create a rule.
    5. Click the drop-down next to Event Type and browse the folders to find the group of event types, or a specific event type for which you must create a rule.
    6. Click Save.

    7. Select the Traffic Type to which the rule should apply. Based on your Traffic Type selection, provide the following information based off the Traffic Type table:

      Traffic Type

      Fields and Description Configuration
      Syslog

      For Source IP, enter the IP address of the device that will be sending the logs.

      For Destination IP, enter the IP address of the device to which the logs are sent.

      For Severity, select an operator and enter a severity level that must match for the log to be forwarded.

      For Regex Filter, enter any regular expressions you want to use to filter the log files.
      If any matches are made against your regular expression, then the event will be forwarded.

      Under Forward To:

      Enter the IP address.

      Select the forwarding Protocol from the drop-down.

      • UDP - If you use this protocol, events may be lost.

      • TCP - This method ensures reliability.

      • TCP over SSL - This method ensures reliability and security. See Note 3 below.

      Select the Port number in the Port field.

      Select the Format:

      • Incoming - outgoing format is same as incoming.

      • CEF - outgoing events are CEF formatted. See here for details on CEF formatted logs.

      When done, click Save.
      Netflow

      Under Forward To:

      Enter the IP address.

      Protocol should default to Netflow.

      Select the Port number in the Port field.

      When done, click Save.
      Any

      A Kafka Channel is required. This can be configured in Admin > Settings > System Kafka.

      Under Forward To:

      Protocol should default to Kafka.

      From the Kafka Channel drop-down, select the Kafka channel you configured.

      Click Save.

    Notes:

    1. If you want the same sender IP to forward events to multiple destinations, create a rule for each destination.
    2. FortiSIEM will implement all rules that you create and enable, so if you create a duplicate of an event forwarding rule, two copies of the same log will be sent to the destination IP.
    3. If you want to use public CA certificates for TCP over SSL communication, then note the following:

      • FortiSIEM's SSL library can validate an external system’s certificate if it is signed by a public CA.

      • If the external system wants to verify the FortiSIEM node's certificate, then you need to add the following certificate and key to the phoenix_config.txt file of the FortiSIEM nodes forwarding the event.

        [BEGIN phEventForwarder]
tls_certificate_file= #/opt/phoenix/bin/.ssh/my_cert.crt
…
tls_key_file= #/opt/phoenix/bin/.ssh/my_cert.key
[END]

    Event Forwarding by Worker

    There may be situations where you may not want to forward events from collectors to your target device. Fortinet allows you to forward events when workers (or super) receives collector event information. To configure this, go to Admin > Settings > Event Pipeline > Forwarding tab, and add a checkmark to the Forward From Worker checkbox. If there is more than one collector per org, this feature will forward events by workers for all collectors.

    Previous
    Next

    Event Forwarding

    Event Forwarding

    In systems management, many servers may need access to forward logs, traps and NetFlows from network devices and servers, but it is often resource intensive for network devices and servers to forward logs, traps and NetFlows to multiple destinations. For example, most Cisco routers can forward NetFlow to two locations at most. However, FortiSIEM can forward/relay specific logs, traps and NetFlows to one or more destinations. A Super, Worker or Collector can forward events - the one which receives and parses the event forwards it. If you want to send a log to multiple destinations, you can send it to FortiSIEM, which will use an event forwarding rule to send it to the desired locations. If you only want the workers (or super) to forward events, after this configuration, see Event Forwarding by Worker.

    1. Go to Admin > Settings > Event Pipeline > Forwarding tab.
    2. Click +.
    3. Select the Organization for which the rule will apply.
    4. Click the drop-down next to Reporting Device and browse the folders to find the group of devices, or a specific device for which you must create a rule.
    5. Click the drop-down next to Event Type and browse the folders to find the group of event types, or a specific event type for which you must create a rule.
    6. Click Save.

    7. Select the Traffic Type to which the rule should apply. Based on your Traffic Type selection, provide the following information based off the Traffic Type table:

      Traffic Type

      Fields and Description Configuration
      Syslog

      For Source IP, enter the IP address of the device that will be sending the logs.

      For Destination IP, enter the IP address of the device to which the logs are sent.

      For Severity, select an operator and enter a severity level that must match for the log to be forwarded.

      For Regex Filter, enter any regular expressions you want to use to filter the log files.
      If any matches are made against your regular expression, then the event will be forwarded.

      Under Forward To:

      Enter the IP address.

      Select the forwarding Protocol from the drop-down.

      • UDP - If you use this protocol, events may be lost.

      • TCP - This method ensures reliability.

      • TCP over SSL - This method ensures reliability and security. See Note 3 below.

      Select the Port number in the Port field.

      Select the Format:

      • Incoming - outgoing format is same as incoming.

      • CEF - outgoing events are CEF formatted. See here for details on CEF formatted logs.

      When done, click Save.
      Netflow

      Under Forward To:

      Enter the IP address.

      Protocol should default to Netflow.

      Select the Port number in the Port field.

      When done, click Save.
      Any

      A Kafka Channel is required. This can be configured in Admin > Settings > System Kafka.

      Under Forward To:

      Protocol should default to Kafka.

      From the Kafka Channel drop-down, select the Kafka channel you configured.

      Click Save.

    Notes:

    1. If you want the same sender IP to forward events to multiple destinations, create a rule for each destination.
    2. FortiSIEM will implement all rules that you create and enable, so if you create a duplicate of an event forwarding rule, two copies of the same log will be sent to the destination IP.
    3. If you want to use public CA certificates for TCP over SSL communication, then note the following:

      • FortiSIEM's SSL library can validate an external system’s certificate if it is signed by a public CA.

      • If the external system wants to verify the FortiSIEM node's certificate, then you need to add the following certificate and key to the phoenix_config.txt file of the FortiSIEM nodes forwarding the event.

        [BEGIN phEventForwarder]
tls_certificate_file= #/opt/phoenix/bin/.ssh/my_cert.crt
…
tls_key_file= #/opt/phoenix/bin/.ssh/my_cert.key
[END]

    Event Forwarding by Worker

    There may be situations where you may not want to forward events from collectors to your target device. Fortinet allows you to forward events when workers (or super) receives collector event information. To configure this, go to Admin > Settings > Event Pipeline > Forwarding tab, and add a checkmark to the Forward From Worker checkbox. If there is more than one collector per org, this feature will forward events by workers for all collectors.

    Previous
    Next