Skip to content

FortiGate

Overview

The range of Fortigate firewalls is a complete appliance solution whose security functions are highly developed. The firewalls run on the FortiOS operating system.

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
Network device logs Fortigates can record traffic logs flowing through their firewall.
Network intrusion detection system Security logs provided by Fortigates include intrusion prevention related records.
Web application firewall logs Fortiweb appliances and virtual appliances record WAF information.
Web logs WAF information produces by Fortiweb units can record permited URL access.
DNS records Both DNS queries and responses handled by the Fortigate domain name servers can be recorded.

Configure

In this documentation we explain one way to collect and send Fortigate logs to SEKOIA.IO.

  • From the Fortigate machine to an internal log concentrator (Rsyslog), then forwarded to SEKOIA.IO

Fortigate logs

On Fortigate appliances, most of the important hardward and software activities that are relevant for security detection and analysis, are logged into three files.

  • Traffic: Local out traffic, Denied traffic, Allowed traffic
  • Web
  • Url-Filtering
  • VPN

Transport to the concentrator

Prerequisites

The following prerequisites are needed in order to setup efficient log concentration:

  • Have administrator writes on the Fortigate
  • Traffic towards the Rsyslog must be open on TCP/514

Configure Fortigate

The first step is to configure Fortigate to log the awaited traffic. You can configure FortiOS to send log messages to remote syslog servers in standard, CSV or CEF (Common Event Format) format. These three formats are accepted by the SEKOIA.IO intake. To enable syslog, log into the CLI and enter the following commands:

config log syslogd setting
set status enable
set port 514
set mode reliable
set server [IP address of syslog server]
set facility user
set format rfc5424
end

Most FortiGate features are enabled for logging by default. Ensure they are enabled by executing the following command:

show full-configuration

Make sure the Traffic, Web and URL Filtering features are enabled for logging with the following commands:

config log syslogd filter
set forward-traffic enable
set local-traffic enable
set multicast-traffic enable
....
set vpn enable
set web enable
set url-filter enable
end

With some Fortigate appliance, it may not be possible to do the above configuration through the command line. An alternative method is to use the graphical interface and go to the Log Settings menu. From there you can choose every logging options within Event Logging and Local Traffic Log except for the Denied options.

Then in order to use CEF format, use the following commands :

config log syslogd setting
set format cef
end

Transport to SEKOIA.IO

Please consult the Rsyslog Transport documentation to forward these logs to SEKOIA.IO.