Firewalls monitor what is happening between your network and the rest of the world, and can monitor things such as how much data is being sent from which computer, where the data is going, and who is receiving the data.
The Fortinet Firewall event source allows InsightIDR to parse the following log types:
Before You Begin
For some FortiGate firewalls, the administration console (UI) only allows you to configure one destination for syslog forwarding. Additional destinations for syslog forwarding must be configured from the command line. Make sure that when configuring a syslog server, the admin should select the option
.CSV disable. The following example shows how you can configure this setting (substitute
<collector_ip_address> with the appropriate values):
1config log syslogd setting2set format default3set facility syslog4set reliable disable5set mode udp6set port <port_above_1024>7set server <collector_ip_address>8set status enable9end
The value for
reliable determines which default protocol is used for syslog forwarding:
set reliable enableuses TCP by default
set reliable disableuses UDP by default
Instructions on how to configure additional destinations can be found here: https://docs.fortinet.com/document/fortigate/6.2.1/cli-reference/353620/log-syslogd-override-setting
If your VPN is on the firewall, you do not need to configure an additional VPN syslog destination. One syslog configuration will work for both your firewall and your VPN.
How to Configure This Event Source
- From your dashboard, select Data Collection on the left hand menu.
- When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
- From the “Security Data” section, click the Firewall icon. The “Add Event Source” panel appears.
- Choose your collector and event source. You can also name your event source if you want.
- Choose the timezone that matches the location of your event source logs.
- Optionally choose to send unfiltered logs.
- Configure your default domain and any Advanced Event Source Settings.
- Select a collection method and specify a port and a protocol.
- Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
- Click Save.