Fortinet Firewall
Firewalls monitor what is happening between your network and the rest of the world, and can monitor things such as how much data is being sent from which computer, where the data is going, and who is receiving the data.
The Fortinet Firewall event source allows InsightIDR to parse the following log types:
- Firewall
- VPN
- DHCP
- Virus
- IDS
Before You Begin
For some FortiGate firewalls, the administration console (UI) only allows you to configure one destination for syslog forwarding. Additional destinations for syslog forwarding must be configured from the command line. Make sure that when configuring a syslog server, the admin should select the option .CSV disable
. The following example shows how you can configure this setting (substitute <port_above_1024>
and <collector_ip_address>
with the appropriate values):
1config log syslogd setting2set status enable3set format default4set facility syslog5set reliable disable6set mode udp7set port <port_above_1024>8set server <collector_ip_address>9end
Use UDP or legacy TCP as your default protocol
The InsightIDR collector requires you to use the UDP or legacy TCP method to process events. The collector is unable to process events collected using the TCP protocol. The value for reliable
determines which default protocol is used for syslog forwarding:
set reliable disable
uses UDP by default.set reliable enable
uses TCP by default.
Instructions on how to configure additional destinations can be found here: https://docs.fortinet.com/document/fortigate/6.2.1/cli-reference/353620/log-syslogd-override-setting
TIP
If your VPN is on the firewall, you do not need to configure an additional VPN syslog destination. One syslog configuration will work for both your firewall and your VPN.
Configure InsightIDR to collect data from the event source
After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.
To configure the new event source in InsightIDR:
- From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
- Do one of the following:
- Search for Fortinet FortiGate Firewall, VPN, & Web Proxy in the event sources search bar.
- In the Product Type filter, select Firewall.
- Select the Fortinet FortiGate Firewall, VPN, & Web Proxy event source tile.
- Name the event source. This name will be used to name the log that contains the event data in Log Search. If you do not name the event source, the log name defaults to Fortinet FortiGate Firewall.
- Select a collector.
- Choose the timezone that matches the location of your event source logs.
- Optionally, choose whether to send unparsed data.
- Configure your default domain and any Advanced Event Source Settings.
- Select a collection method and specify a port and a protocol.
- Note: The collector is unable to process Fortinet Firewall events collected using the TCP protocol.
- Click Save.