Firewalls monitor what is happening between your network and the rest of the world, and can monitor things such as how much data is being sent from which computer, where the data is going, and who is receiving the data.
The Fortinet Firewall event source allows InsightIDR to parse the following log types:
Before You Begin
For some FortiGate firewalls, the administration console (UI) only allows you to configure one destination for syslog forwarding. Additional destinations for syslog forwarding must be configured from the command line. Make sure that when configuring a syslog server, the admin should select the option
.CSV disable. The following example shows how you can configure this setting (substitute
<collector_ip_address> with the appropriate values):
1config log syslogd setting2set status enable3set format default4set facility syslog5set reliable disable6set mode udp7set port <port_above_1024>8set server <collector_ip_address>9end
The value for
reliable determines which default protocol is used for syslog forwarding:
set reliable enableuses TCP by default
set reliable disableuses UDP by default
Instructions on how to configure additional destinations can be found here: https://docs.fortinet.com/document/fortigate/6.2.1/cli-reference/353620/log-syslogd-override-setting
If your VPN is on the firewall, you do not need to configure an additional VPN syslog destination. One syslog configuration will work for both your firewall and your VPN.
How to Configure This Event Source
- From your dashboard, select Data Collection on the left hand menu.
- When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
- From the “Security Data” section, click the Firewall icon. The “Add Event Source” panel appears.
- Choose your collector and event source. You can also name your event source if you want.
- Choose the timezone that matches the location of your event source logs.
- Optionally choose to send unparsed logs.
- Configure your default domain and any Advanced Event Source Settings.
- Select a collection method and specify a port and a protocol.
- Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
- Click Save.