Fortinet Firewall

Overview

Firewalls monitor what is happening between your network and the rest of the world, and can monitor things such as how much data is being sent from which computer, where the data is going, and who is receiving the data.

Before You Begin

For some Fortigate firewalls, the administration console (UI) only allows you to configure one destination for syslog forwarding. Additional destinations for syslog forwarding must be configured from the command line. Make sure that when configuring a syslog server, the admin should select the option .CSV disable.

Instructions on how to configure additional destinations can be found here.

How to Configure This Event Source

  1. From your dashboard, select Data Collection on the left hand menu
  2. At the top right of the page, select Add Data
  3. Select the Firewall icon from the Security Data section
  4. Select your collector, and optionally name your event source
  5. From the list of event source options, choose Fortinet Firewall
  6. Choose a timezone, or optionally display only US timezones
  7. Optionally choose to send unfiltered logs
  8. Configure any advanced event source settings.
  9. Select either Listen for Syslog or Log Aggregator; both require that you specify a port and a protocol. Optionally choose to Encrypt the event source if choosing TCP
  10. If you are choosing to encrypt, select the button "Download Certificate" which will download Rapid7's certificate. This file will be called Rapid7CA.pem and will allow InsightOps and Fortinet Firewall to "trust" each other during log forwarding.

Advanced Event Source Settings

Fallback Domain(s): If you have event sources running in a multi-domain environment, Rapid7 recommends having a fallback domain in order to resolve any issues with user accounts.

For instance, if your company is the US and in Canada, but both locations have a user named "John Smith" and your main domain is company.com, your fallback domain could be company.ca, which would allow InsightOps to more accurately attribute data to the correct user.