☰

🌙☀

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Taegis Docs Home
About XDR
Get Started
- Get Started with XDR
- Top 5 Tasks
Integrate with XDR
- Integration Overview
- Data Source Integration Definitions
- All Available Integrations
- Add Data Collectors
- Add Endpoint Agents
- Forward Data to XDR
- Create Custom Parsers
  - Overview
  - Syntax
  - Repeating Fields
  - Overriding and Extending Global Parsers
  - Supported Schemas
  - All Schemas
    - Antivirus
    - Auth
    - CloudAudit
    - DHCP
    - DNS
    - Email
    - Encrypt
    - FileMod
    - HTTP
    - Management Event
    - Netflow
    - NIDS
    - Process
    - Registry
    - Thirdparty
    - Types
Manage Integrations
Alerts, Events, and Investigations
- Alerts
- Events
- Investigations
- CyberChef
Dashboards
Search and Reports
- Search
- Reports
Automation
- Automation Overview
- Supported Playbooks
- Supported Connectors
- Playbooks
- Connectors
- Automation Authoring
  - Building Connector Definitions
  - Building Playbook Templates
  - Common Expression Language (CEL)
Threat Intelligence, Hunting, and Detection
- Threat Intelligence
- Threat Hunting
  - Hunting with Jupyter Notebooks
- Detectors
- Adversary Software Coverage
  - Adversary Software Coverage
  - Frequently Asked Questions
XDR Admin
- Your Account
- Tenant Settings
APIs, SDK, and Magic
- Using XDR GraphQL APIs
- API Authentication
- XDR Python SDK
- Taegis Magic Jupyter Integration
  - Overview
- Alerts API
  - Using the Alerts API
  - Alerts GraphQL API
- Assets API
- Audits API
  - Using the Audits API
  - Audits GraphQL API
- Automations APIs
- Bring Your Own Threat Intelligence API
  - Using the BYOTI API
  - BYOTI GraphQL API
- Collector APIs
- Investigations API
  - Using the Investigations API
  - Investigations GraphQL API
- Threat Intelligence API
  - Using the Threat Intelligence API
  - Threat Intelligence GraphQL API
- Using the Users GraphQL API
- Using the Tenants GraphQL API
- Using the Countermeasures API
- Using the File Upload API
Secureworks Products, Services, and Policies
- Managed iSensor
- ManagedXDR
- ManagedXDR Elite
  - Service Description
  - Onboarding Guide
- ManagedXDR for OT
- ManagedXDR Enhanced
  - Service Description
  - Onboarding Guide
- ManagedXDR–Managed iSensor Add-on
- Secureworks Professional Services
- Legal

Fortinet Fortigate Integration Guide

Fortinet firewalls must be configured to send logs via syslog to the Taegis™ XDR Collector. Firewall logs are filtered and correlated in real-time for various security event observations, including correlation of denied traffic logs, port scanning, broad scanning, internal network outbreaks, peer-to-peer file sharing activity, and outbound traffic to known malicious IP addresses, including known APT target endpoints being monitored by the Secureworks Counter Threat Unit.

Follow the instructions below to configure log forwarding.

Connectivity Requirements ⫘

Source	Destination	Port/Protocol
Fortinet FortiGate	XDR Collector (mgmt IP)	UDP/514

Data Provided from Integration ⫘

	Antivirus	Auth	DHCP	DNS	Email	Encrypt	File	HTTP	Management	Netflow	NIDS	Process	Thirdparty
Fortigate Firewall	V	D		D	Y			D		D			V

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Note

XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Configuration Instructions ⫘

Fortinet FortiGate appliances must be configured to log security events and audit events.

Forwarding FortiGate Logs from FortiAnalyzer ⫘

FortiGate logs can be forwarded to a XDR Collector from FortiAnalyzer.

Follow the vendor's instructions here to configure FortiAnalyzer to send FortiGate logs to XDR.

Use the XDR Collector IP address and port in the appropriate CLI commands.

Configure Syslog Server Settings on the FortiGate appliance ⫘

Configure syslog settings on the Fortinet FortiGate appliances to forward events to the XDR Collector.

Fortinet FortiGate appliances can have up to four syslog servers configured. If you are already using the first syslogd setting (config log syslogd setting), you can use syslogd2 (config log syslogd2 setting), syslogd3 (config log syslogd3 setting), or syslogd4 (config log syslogd4 setting) if needed.


#Enter "config log syslogd setting" or use "config log syslogd2|syslogd3|syslogd4 setting" if needed
myfortigate01 # config log syslogd setting
myfortigate01 (setting) # set status enable
myfortigate01 (setting) # set format default
myfortigate01 (setting) # set facility local5
myfortigate01 (setting) # set mode udp
Port changed to default (514)
myfortigate01 (setting) # set port 514
myfortigate01 (setting) # set server "XDR Collector IP Address"
myfortigate01 (setting) # end

Configure Syslog Filtering ⫘

To ensure all logs are sent to the XDR Collector, syslog logging level should be set to informational and all logging filters should be set to enabled.

Note

The syslogd filters shown vary per FortiOS version. Enable all filters or we will not receive logs for that category.


#Enter "config log syslogd filter" or use "config log syslogd2|syslogd3|syslogd4 filter" if needed
myfortigate01 # config log syslogd filter
myfortigate01 (filter) # set severity information
myfortigate01 (filter) # set forward-traffic enable
myfortigate01 (filter) # set local-traffic enable
myfortigate01 (filter) # set multicast-traffic enable
myfortigate01 (filter) # set sniffer-traffic enable
myfortigate01 (filter) # set anomaly enable
myfortigate01 (filter) # set voip enable
myfortigate01 (filter) # end

Configure Syslog Event Filtering ⫘

The system event logs record management and device-specific activity events, such as configuration changes, admin log in, or high availability (HA) events. Ensure that all system event log categories are enabled.

Important

If your Fortigate device is utilizing multiple VDOMs, you must perform this step on each VDOM.

Note

The categories shown vary per FortiOS version. Enable all categories or we will not receive logs for that category. Reference the vendor's documentation for categories applicable to the config log eventfilter CLI command for your FortiOS version.


#"config vdom" and "edit (vdom_name) commands are only required when multiple VDOMs are enabled
myfortigate01 # config vdom
myfortigate01 # (vdom) # edit root
current vf=root:0
myfortigate01 (root) # config log eventfilter
myfortigate01 (eventfilter) # set event enable
myfortigate01 (eventfilter) # set system enable
myfortigate01 (eventfilter) # set vpn enable
myfortigate01 (eventfilter) # set user enable
myfortigate01 (eventfilter) # set router enable
myfortigate01 (eventfilter) # set wireless-activity enable
myfortigate01 (eventfilter) # set wan-opt enable
myfortigate01 (eventfilter) # set endpoint enable
myfortigate01 (eventfilter) # set ha enable
myfortigate01 (eventfilter) # set security-rating enable
myfortigate01 (eventfilter) # set fortiextender enable
myfortigate01 (eventfilter) # set connector enable
myfortigate01 (eventfilter) # end
myfortigate01 (root) # end
myfortigate01 #
#NOTE: Repeat preceding eventfilter steps for each VDOM

Configure Firewall Policies to Session-Start ⫘

In each policy, set logging to begin on session start. This allows Secureworks® Taegis™ XDR to correlate events from the beginning of a session.


#For each of the VDOMs in place, access each one of the policies
#Enter "config firewall policy"
swrx01uspvdfw04 (root) # config firewall policy
swrx01uspvdfw04 (root) # edit (id) #policy ID number
swrx01uspvdfw04 (root) # set logtraffic-start enable
swrx01uspvdfw04 (root) # end

Note

The "set logtraffic-start" setting should be enabled in any new policy.

Configure Firewall Policy Logging ⫘

To log network traffic traversing through the firewall, enable logging within each firewall policy rule.

Accept Traffic Logging Examples ⫘

CLI:


"config vdom" and "edit (vdom_name)" commands are only required when multiple VDOMs are enabled
myfortigate01 # config vdom
myfortigate01 # (vdom) # edit root
current vf=root:0
myfortigate01 (root) # config firewall policy
myfortigate01 (policy) # edit 1
myfortigate01 (1) # set logtraffic all
myfortigate01 (1) # end
NOTE: Repeat preceding steps for each Firewall Rule in each VDOM

Deny Traffic Logging Examples ⫘

CLI:


"config vdom" and "edit (vdom_name)" commands are only required when multiple VDOMs are enabled
myfortigate01 # config vdom
myfortigate01 # (vdom) # edit root
current vf=root:0
myfortigate01 (root) # config firewall policy
myfortigate01 (policy) # edit 2
myfortigate01 (2) # set logtraffic all
myfortigate01 (2) # end
NOTE: Repeat preceding steps for each Firewall Rule in each VDOM

Connectivity Requirements
Data Provided from Integration
Configuration Instructions
Forwarding FortiGate Logs from FortiAnalyzer
Configure Syslog Server Settings on the FortiGate appliance
Configure Syslog Filtering
Configure Syslog Event Filtering
Configure Firewall Policies to Session-Start
Configure Firewall Policy Logging

Fortinet Fortigate Integration Guide

Connectivity Requirements ⫘

Data Provided from Integration ⫘

Configuration Instructions ⫘

Forwarding FortiGate Logs from FortiAnalyzer ⫘

Configure Syslog Server Settings on the FortiGate appliance ⫘

Configure Syslog Filtering ⫘

Configure Syslog Event Filtering ⫘

Configure Firewall Policies to Session-Start ⫘

Configure Firewall Policy Logging ⫘

Accept Traffic Logging Examples ⫘

Deny Traffic Logging Examples ⫘

On this page: