You can integrate FortiWeb-VM with Azure Security Center (ASC) by pushing log messages (event logs, security and health alerts) to an Azure Event Hub. Configuration for the integration starts with connecting the Azure Event Hub to FortiWeb-VM first through either a CLI command or Azure PowerShell. Both the ways will ask you to input necessary information of the event hub you would like to connect to, the asked parameters are:
Service Bus Namespace: The Service Bus Namespace that the Event Hub is created at. This will be required later for parameter
Name of the Event Hub: This will be required later for parameter
Subscription (ID): The subscription (ID) that has the access to the Event Hub. This will be required later for parameter
Policy name: Name of the Shared Access policy you created for the Event Hub. This will be required later for parameter
Primary key: The primary shared access key that the above policy uses for Shared Access Signature authentication on the Event Hub. This will be required later for parameter
You can collect the values through the Azure classic portal.
- To obtain the
servicebus_namespacevalue, in the Azure classic portal, in the left navigation pane, click Service Bus.
- Locate the appropriate namespace in the list of namespaces and record its name.
- To obtain the
eventhub_namevalue, click the namespace item you are using, and then click Event Hubs.
- Record the event hub name that is displayed.
- To obtain the
subscription_idvalue (displayed in Azure as a Subscription value), first click the name of the event hub you are using to display its properties.
- Record the Subscription value found in the bottom-right area of the event hub's dashboard. Use this value for
- To access the event hub policy that provides the
primary_keyvalues, in the event hub properties, click Configure.
- Record the values Policy Name and Primary Key values.
So far you have the parameters prepared for connecting the event hub to FortiWeb-VM through the CLI command or Azure PowerShell.
Execute the CLI command
system eventhub with parameters you prepared as following to configure the Azure event hub settings on FortiWeb:
config system eventhub
set status enable
set appliance_id <subscription_id>
set policy_saskey <primary_key>
set policy_name <policy_name>
set eventhub_name <eventhub_name>
set servicebus_namespace <servicebus_namespace>
For more information on using the CLI, see the FortiWeb CLI Reference.
To connect an event hub to FortiWeb-VM through Azure PowerShell, you need to prepare the following files:
A PowerShell script: This is a script (.ps1) that you have to run it through Azure PowerShell to set login information of the Azure event hub into FortiWeb-VM.Contact to Fortinet Technical Support to obtain the script file.
A event hub configuration: This is a .json file containing the necessary information of the event hub. The above PowerShell script will require the .json file to complete configuration of Azure event hub auto-login for FortiWeb-VM. You can edit the following text and save it as a .json file (for example, logging.json) for using:
<servicebus_namespace> are the parameters that you have to edit them according to the real practice. Please remain the whole content above unchanged except the parameters, and save the .json file in your local computer.
Login to Azure PowerShell under your local Windows environment, execute the script (for example, customScriptWrapper.ps1) on Azure PowerShell as following to configure the Azure event hub settings to FortiWeb:
PS C:\> ./customScriptWrapper.ps1
<json_path> is the path you save the json file in local computer (for example, C:\Users\username\Desktop\logging.json), and
<subscription_id> is the subscription (ID) that has the access to the Event Hub. Please do not change the inputs above for parameters
Besides the configuration for connecting the Event Hub to FortiWeb-VM, you are required to create a SIEM policy and configure the Global Log Settings to push event logs of FortiWeb-VM to the connected Event Hub. See the FortiWeb Administration Guide.