Fortinet Firewall

Firewalls monitor what is happening between your network and the rest of the world, and can monitor things such as how much data is being sent from which computer, where the data is going, and who is receiving the data.

The Fortinet Firewall event source allows InsightIDR to parse the following log types:

  • Firewall
  • VPN
  • DHCP
  • Virus
  • IDS

Before You Begin

For some FortiGate firewalls, the administration console (UI) only allows you to configure one destination for syslog forwarding. Additional destinations for syslog forwarding must be configured from the command line. Make sure that when configuring a syslog server, the admin should select the option .CSV disable. The following example shows how you can configure this setting (substitute <port_above_1024> and <collector_ip_address> with the appropriate values):

1
config log syslogd setting
2
set format default
3
set facility syslog
4
set reliable disable
5
set mode udp
6
set port <port_above_1024>
7
set server <collector_ip_address>
8
set status enable
9
end

NOTE

The value for reliable determines which default protocol is used for syslog forwarding:

  • set reliable enable uses TCP by default
  • set reliable disable uses UDP by default

Instructions on how to configure additional destinations can be found here: https://docs.fortinet.com/document/fortigate/6.2.1/cli-reference/353620/log-syslogd-override-setting

TIP

If your VPN is on the firewall, you do not need to configure an additional VPN syslog destination. One syslog configuration will work for both your firewall and your VPN.

How to Configure This Event Source

  1. From your dashboard, select Data Collection on the left hand menu.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the “Security Data” section, click the Firewall icon. The “Add Event Source” panel appears.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. Choose the timezone that matches the location of your event source logs.
  6. Optionally choose to send unfiltered logs.
  7. Configure your default domain and any Advanced Event Source Settings.
  8. Select a collection method and specify a port and a protocol.
    • Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
  9. Click Save.