Fortinet FortiGate Next-Generation Firewall

Modified on Wed, 29 May 2024 at 09:47 PM

Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai Help Center and we'll get it updated.

 

This guide describes the steps required to configure FortiNet FortiGate next generation firewall to send syslog to the Samurai XDR. 

 


1) Configure the Samurai XDR application

  • Complete the FortiGate Next-Generation Firewall Integration from Samurai XDR Application


2) Configure FortiGate Next-Generation Firewall 

Complete the configuration from the FortiGate Next-Generation Firewall

  • Configure FortiGate Next-Generation Firewall 
  • Configure Log Settings for Each Security Features


mceclip0.png CLI commands may depend on Forti OS version. Refer to the relevant Fortinet documentation if needed.

mceclip0.png This guide assumes that you are not using the VDOM feature.

 

Configure the Samurai XDR Application

To complete the configuration to receive logs:

  1. Login to your Samurai XDR application tenant
  2. Click Telemetry > Integrations from the main menu
  3. Click Create
  4. In the Create Integration screen, find and select Fortinet FortiGate Next-Generation Firewall
  5. The screen will show the Telemetry Collection and parameters.
  6. Make note of the IP Address and Port on the screen, they will be used in the device configuration below.
  7. Click on Finish


Configure FortiGate Next-Generation Firewall 

Configure Syslog Forwarding Settings

Execute the CLI commands outlined in the FortiGate Next Generation Firewall documentation.


mceclip0.png FortiGate devices support multiple syslog destinations, in the example below we have shown the fourth (syslogd4).

config log syslogd4 setting
set status enable
set server [IP address of your Samurai XDR Collector]
  set mode reliable
  set port [Port number of your Secure Syslog Collector]
  set enc-algorithm high
unset source-ip
set format default
end
config log syslogd4 filter
set filter [see table 1]
set filter-type include
end

 

The following table shows the value indicating the send log for each security function.

Security FeaturesValue indicating the send log (One line each; no separator)
IPS/IDS Features"ips-level(information)"
IPS/IDS and AntiVirus Features"ips-level(information)virus-level(information)" 
IPS/IDS and AntiVirus Features and Web Filter Features"ips-level(information)virus-level(information)webfilter-level(information)" 

Table 1: Security Features Logs To Be Sent

 

Configure Log Settings for Each Security Features

Execute the CLI commands outlined in the FortiGate Next Generation Firewall documentation.

config firewall policy
edit [Policy ID]
...
set logtraffic [utm or all]
set logtraffic-start disable
...
next
end
config antivirus profile
edit [Profile Name]
...
set extended-log enable
...
next
end
config webfilter profile
edit [Profile Name]
...
set log-all-url disable
set web-content-log enable
set web-filter-activex-log enable
set web-filter-command-block-log enable
set web-filter-cookie-log enable
set web-filter-applet-log enable
set web-filter-jscript-log enable
set web-filter-js-log enable
set web-filter-vbs-log enable
set web-filter-unknown-log enable
set web-filter-refere-log enable
set web-filter-cookie-removal-log enable
set web-url-log enable
set web-invalid-domain-log enable
set web-ftgd-err-log enable
set web-ftgd-quota-usage enable
set extended-log enable
set web-extended-all-action-log enable
next
end
config ips sensor
edit [Sensor Name]
...
set extended-log enable
config entries
edit [ID]
set location all
set severity info low
set protocol all
set os all
set application all
set status [enable or default]
(please refer to the table below)
set log enable
set log-packet disable
set log-attack-context disable
set action [pass or block or reset or default]
(please refer to the table below)
...
next
edit [ID]
set location all
set severity medium high critical
set protocol allset os all
set application all
set status [enable or default]
(please refer to the table 2)
set log enable
set log-packet enable
set log-attack-context disable
set action [pass or block or reset or default]
(please refer to the table 2)
...

Tip: Ensure evaluation order of IPS sensor entries so that the above settings apply properly.

ActionStatus
pass or block or reset
enable
defaultdefault

Table 2: Matching Actions to Status

 

   

Once you have completed the configuration of your firewall to send logs to Samurai XDR, your integration will automatically be discovered once Samurai XDR starts receiving logs from your firewall.