Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 26.1.b
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    User Guide

    Home 26.1.b User Guide

    AWS VPC Flow

    AWS VPC Flow

    AWS VPC Flow logs may be sent to FortiNDR Cloud. The logs are billed as part of log ingestion and will appear as VPC Flow events in the portal.

    FortiNDR Cloud supports analyzing AWS data through VPC Flow Log ingestion and AWS Sensors. VPC Flow Logs provide a high‑level view showing who is communicating with whom. This allows FortiNDR Cloud to deliver visibility into network activity and detect malicious behaviors such as connections to malicious sites and port enumeration.

    The FortiNDR Cloud AWS Sensor provides detailed packet analysis, identifying what is actually being transmitted. The protocol analyzer offers deep analysis of many protocols, and the deep packet inspection engines detect malware and other traffic details. This enables detection of activity that cannot be identified with AWS VPC Flow Logs alone, including malicious files, SSL certificates, DNS queries, URLs, and more.

    In FortiNDR Cloud, VPC Flow Log data appears as the VPC_Flow event type. Data from the FortiNDR Cloud AWS Sensor appears across several event types:

    • Flow event types for network session data
    • Protocol‑specific event types (e.g., http, dns) for protocol analysis
    • Event types associated with deep packet inspection results
    • Additional features such as file inspection and payload extraction, where applicable

    VPC Flow Log ingestion does not require any additional AWS infrastructure; logs are forwarded directly to FortiNDR Cloud. However, the FortiNDR Cloud AWS Sensor does require an EC2 instance, which incurs AWS compute and storage costs. Depending on the network design, multiple AWS Sensors may be required.

    In order to send logs to Fortinet the following must also be provided to Fortinet for the account that will be sending the VPC flow logs:

    • AWS Account ID
    • Region

    Customer Configuration

    Setting

    Value
    Log destination type S3
    Log destination arn:aws:s3:::fortindr-cloud-integration/vpc-flow-logs
    Log format ${version} ${account-id} ${interface-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${packets} ${bytes} ${start} ${end} ${action} ${log-status} ${vpc-id} ${subnet-id} ${instance-id} ${tcp-flags} ${type} ${pkt-srcaddr} ${pkt-dstaddr} ${region} ${az-id} ${sublocation-type} ${sublocation-id} ${pkt-src-aws-service} ${pkt-dst-aws-service} ${flow-direction} ${traffic-path} ${ecs-cluster-arn} ${ecs-cluster-name} ${ecs-container-instance-arn} ${ecs-container-instance-id} ${ecs-container-id} ${ecs-second-container-id} ${ecs-service-name} ${ecs-task-definition-arn} ${ecs-task-arn} ${ecs-task-id} ${reject-reason}
    Log file format Text
    Max aggregation interval 10 minutes
    Partition time 24 hours
    Hive compatible prefixes false

    Terraform example

    resource "aws_flow_log" "test_flow_logs" {
  log_destination      = "arn:aws:s3:::fortindr-cloud-integration/vpc-flow-logs"
  log_destination_type = "s3"
  traffic_type         = "ALL"
  vpc_id               = "<VPC ID>"

  max_aggregation_interval = 600
  

  log_format = "$${version} $${account-id} $${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport} $${protocol} $${packets} $${bytes} $${start} $${end} $${action} $${log-status} $${vpc-id} $${subnet-id} $${instance-id} $${tcp-flags} $${type} $${pkt-srcaddr} $${pkt-dstaddr} $${region} $${az-id} $${sublocation-type} $${sublocation-id} $${pkt-src-aws-service} $${pkt-dst-aws-service} $${flow-direction} $${traffic-path} $${ecs-cluster-arn} $${ecs-cluster-name} $${ecs-container-instance-arn} $${ecs-container-instance-id} $${ecs-container-id} $${ecs-second-container-id} $${ecs-service-name} $${ecs-task-definition-arn} $${ecs-task-arn} $${ecs-task-id} $${reject-reason}"
}
    Previous
    Next

    AWS VPC Flow

    AWS VPC Flow

    AWS VPC Flow logs may be sent to FortiNDR Cloud. The logs are billed as part of log ingestion and will appear as VPC Flow events in the portal.

    FortiNDR Cloud supports analyzing AWS data through VPC Flow Log ingestion and AWS Sensors. VPC Flow Logs provide a high‑level view showing who is communicating with whom. This allows FortiNDR Cloud to deliver visibility into network activity and detect malicious behaviors such as connections to malicious sites and port enumeration.

    The FortiNDR Cloud AWS Sensor provides detailed packet analysis, identifying what is actually being transmitted. The protocol analyzer offers deep analysis of many protocols, and the deep packet inspection engines detect malware and other traffic details. This enables detection of activity that cannot be identified with AWS VPC Flow Logs alone, including malicious files, SSL certificates, DNS queries, URLs, and more.

    In FortiNDR Cloud, VPC Flow Log data appears as the VPC_Flow event type. Data from the FortiNDR Cloud AWS Sensor appears across several event types:

    • Flow event types for network session data
    • Protocol‑specific event types (e.g., http, dns) for protocol analysis
    • Event types associated with deep packet inspection results
    • Additional features such as file inspection and payload extraction, where applicable

    VPC Flow Log ingestion does not require any additional AWS infrastructure; logs are forwarded directly to FortiNDR Cloud. However, the FortiNDR Cloud AWS Sensor does require an EC2 instance, which incurs AWS compute and storage costs. Depending on the network design, multiple AWS Sensors may be required.

    In order to send logs to Fortinet the following must also be provided to Fortinet for the account that will be sending the VPC flow logs:

    • AWS Account ID
    • Region

    Customer Configuration

    Setting

    Value
    Log destination type S3
    Log destination arn:aws:s3:::fortindr-cloud-integration/vpc-flow-logs
    Log format ${version} ${account-id} ${interface-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${packets} ${bytes} ${start} ${end} ${action} ${log-status} ${vpc-id} ${subnet-id} ${instance-id} ${tcp-flags} ${type} ${pkt-srcaddr} ${pkt-dstaddr} ${region} ${az-id} ${sublocation-type} ${sublocation-id} ${pkt-src-aws-service} ${pkt-dst-aws-service} ${flow-direction} ${traffic-path} ${ecs-cluster-arn} ${ecs-cluster-name} ${ecs-container-instance-arn} ${ecs-container-instance-id} ${ecs-container-id} ${ecs-second-container-id} ${ecs-service-name} ${ecs-task-definition-arn} ${ecs-task-arn} ${ecs-task-id} ${reject-reason}
    Log file format Text
    Max aggregation interval 10 minutes
    Partition time 24 hours
    Hive compatible prefixes false

    Terraform example

    resource "aws_flow_log" "test_flow_logs" {
  log_destination      = "arn:aws:s3:::fortindr-cloud-integration/vpc-flow-logs"
  log_destination_type = "s3"
  traffic_type         = "ALL"
  vpc_id               = "<VPC ID>"

  max_aggregation_interval = 600
  

  log_format = "$${version} $${account-id} $${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport} $${protocol} $${packets} $${bytes} $${start} $${end} $${action} $${log-status} $${vpc-id} $${subnet-id} $${instance-id} $${tcp-flags} $${type} $${pkt-srcaddr} $${pkt-dstaddr} $${region} $${az-id} $${sublocation-type} $${sublocation-id} $${pkt-src-aws-service} $${pkt-dst-aws-service} $${flow-direction} $${traffic-path} $${ecs-cluster-arn} $${ecs-cluster-name} $${ecs-container-instance-arn} $${ecs-container-instance-id} $${ecs-container-id} $${ecs-second-container-id} $${ecs-service-name} $${ecs-task-definition-arn} $${ecs-task-arn} $${ecs-task-id} $${reject-reason}"
}
    Previous
    Next