Fortinet Firewall

Firewalls monitor what is happening between your network and the rest of the world, and can monitor things such as how much data is being sent from which computer, where the data is going, and who is receiving the data.

The Fortinet Firewall event source allows InsightIDR to parse the following log types:

  • Firewall
  • VPN
  • DHCP
  • Virus
  • IDS

Before You Begin

For some FortiGate firewalls, the administration console (UI) only allows you to configure one destination for syslog forwarding. Additional destinations for syslog forwarding must be configured from the command line. Make sure that when configuring a syslog server, the admin should select the option .CSV disable. The following example shows how you can configure this setting (substitute <port_above_1024> and <collector_ip_address> with the appropriate values):

 
1
config log syslogd setting
2
set status enable
3
set format default
4
set facility syslog
5
set reliable disable
6
set mode udp
7
set port <port_above_1024>
8
set server <collector_ip_address>
9
end

Use UDP or legacy TCP as your default protocol

The InsightIDR collector requires you to use the UDP or legacy TCP method to process events. The collector is unable to process events collected using the TCP protocol. The value for reliable determines which default protocol is used for syslog forwarding:

  • set reliable disable uses UDP by default.
  • set reliable enable uses TCP by default.

Instructions on how to configure additional destinations can be found here: https://docs.fortinet.com/document/fortigate/6.2.1/cli-reference/353620/log-syslogd-override-setting

TIP

If your VPN is on the firewall, you do not need to configure an additional VPN syslog destination. One syslog configuration will work for both your firewall and your VPN.

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Fortinet FortiGate Firewall, VPN, & Web Proxy in the event sources search bar.
    • In the Product Type filter, select Firewall.
  3. Select the Fortinet FortiGate Firewall, VPN, & Web Proxy event source tile.
  4. Name the event source. This name will be used to name the log that contains the event data in Log Search. If you do not name the event source, the log name defaults to Fortinet FortiGate Firewall.
  5. Select a collector.
  6. Choose the timezone that matches the location of your event source logs.
  7. Optionally, choose whether to send unparsed data.
  8. Configure your default domain and any Advanced Event Source Settings.
  9. Select a collection method and specify a port and a protocol.
    • Note: The collector is unable to process Fortinet Firewall events collected using the TCP protocol.
  10. Click Save.