Firewalls monitor what is happening between your network and the rest of the world, and can monitor things such as how much data is being sent from which computer, where the data is going, and who is receiving the data.
Before You Begin
For some Fortigate firewalls, the administration console (UI) only allows you to configure one destination for syslog forwarding. Additional destinations for syslog forwarding must be configured from the command line. Make sure that when configuring a syslog server, the admin should select the option
Instructions on how to configure additional destinations can be found here.
How to Configure This Event Source
- From your dashboard, select Data Collection on the left hand menu
- At the top right of the page, select Add Data
- Select the Firewall icon from the Security Data section
- Select your collector, and optionally name your event source
- From the list of event source options, choose Fortinet Firewall
- Choose a timezone, or optionally display only US timezones
- Optionally choose to send unfiltered logs
- Configure any advanced event source settings.
- Select either Listen for Syslog or Log Aggregator; both require that you specify a port and a protocol. Optionally choose to Encrypt the event source if choosing TCP
- If you are choosing to encrypt, select the button "Download Certificate" which will download Rapid7's certificate. This file will be called
Rapid7CA.pemand will allow InsightOps and Fortinet Firewall to "trust" each other during log forwarding.
Advanced Event Source Settings
Fallback Domain(s): If you have event sources running in a multi-domain environment, Rapid7 recommends having a fallback domain in order to resolve any issues with user accounts.
For instance, if your company is the US and in Canada, but both locations have a user named "John Smith" and your main domain is
company.com, your fallback domain could be
company.ca, which would allow InsightOps to more accurately attribute data to the correct user.