The range of Fortigate firewalls is a complete appliance solution whose security functions are highly developed. The firewalls run on the FortiOS operating system.
The following table lists the data source offered by this integration.
||Fortigates can record traffic logs flowing through their firewall.|
||Security logs provided by Fortigates include intrusion prevention related records.|
||Fortiweb appliances and virtual appliances record WAF information.|
||WAF information produces by Fortiweb units can record permited URL access.|
||Both DNS queries and responses handled by the Fortigate domain name servers can be recorded.|
In this documentation we explain one way to collect and send Fortigate logs to SEKOIA.IO.
- From the Fortigate machine to an internal log concentrator (Rsyslog), then forwarded to SEKOIA.IO
On Fortigate appliances, most of the important hardward and software activities that are relevant for security detection and analysis, are logged into three files.
- Traffic: Local out traffic, Denied traffic, Allowed traffic
Transport to the concentrator
The following prerequisites are needed in order to setup efficient log concentration:
- Have administrator writes on the Fortigate
- Traffic towards the Rsyslog must be open on
The first step is to configure Fortigate to log the awaited traffic. You can configure FortiOS to send log messages to remote syslog servers in standard, CSV or CEF (Common Event Format) format. These three formats are accepted by the SEKOIA.IO intake. To enable syslog, log into the CLI and enter the following commands:
config log syslogd setting set status enable set port 514 set mode reliable set server [IP address of syslog server] set facility user set format rfc5424 end
Most FortiGate features are enabled for logging by default. Ensure they are enabled by executing the following command:
Make sure the Traffic, Web and URL Filtering features are enabled for logging with the following commands:
config log syslogd filter set forward-traffic enable set local-traffic enable set multicast-traffic enable .... set vpn enable set web enable set url-filter enable end
With some Fortigate appliance, it may not be possible to do the above configuration through the command line. An alternative method is to use the graphical interface and go to the
Log Settings menu. From there you can choose every logging options within
Event Logging and
Local Traffic Log except for the
Then in order to use CEF format, use the following commands :
config log syslogd setting set format cef end
Transport to SEKOIA.IO
Please consult the Rsyslog Transport documentation to forward these logs to SEKOIA.IO.