🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Fortinet Fortigate Integration Guide

integrations network fortinet


Fortinet firewalls must be configured to send logs via syslog to the Taegis™ XDR Collector. Firewall logs are filtered and correlated in real-time for various security event observations, including correlation of denied traffic logs, port scanning, broad scanning, internal network outbreaks, peer-to-peer file sharing activity, and outbound traffic to known malicious IP addresses, including known APT target endpoints being monitored by the Secureworks Counter Threat Unit.

Follow the instructions below to configure log forwarding.

Connectivity Requirements

Source Destination Port/Protocol
Fortinet FortiGate Taegis™ XDR Collector (mgmt IP) UDP/514

Data Provided from Integration

  Antivirus Auth DHCP DNS Email Encrypt File HTTP Management Netflow NIDS Process Thirdparty
Fortigate Firewall V D   D     D   D     V

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Note

Taegis™ XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Configuration Instructions

Fortinet FortiGate appliances must be configured to log security events and audit events.

Forwarding FortiGate Logs from FortiAnalyzer

FortiGate logs can be forwarded to a Taegis™ XDR Collector from FortiAnalyzer.

Follow the vendor's instructions here to configure FortiAnalyzer to send FortiGate logs to Taegis™ XDR.

Use the Taegis™ XDR Collector IP address and port in the appropriate CLI commands.

Configure Syslog Server Settings on the FortiGate appliance

Configure syslog settings on the Fortinet FortiGate appliances to forward events to the Taegis™ XDR Collector.

Fortinet FortiGate appliances can have up to four syslog servers configured. If you are already using the first syslogd setting (config log syslogd setting), you can use syslogd2 (config log syslogd2 setting), syslogd3 (config log syslogd3 setting), or syslogd4 (config log syslogd4 setting) if needed.


#Enter "config log syslogd setting" or use "config log syslogd2|syslogd3|syslogd4 setting" if needed
myfortigate01 # config log syslogd setting
myfortigate01 (setting) # set status enable
myfortigate01 (setting) # set format default
myfortigate01 (setting) # set facility local5
myfortigate01 (setting) # set mode udp
Port changed to default (514)
myfortigate01 (setting) # set port 514
myfortigate01 (setting) # set server "Taegis™ XDR Collector IP Address"
myfortigate01 (setting) # end

Configure Syslog Filtering

To ensure all logs are sent to the Taegis™ XDR Collector, syslog logging level should be set to informational and all logging filters should be set to enabled.

Note

The syslogd filters shown vary per FortiOS version. Enable all filters or we will not receive logs for that category.


#Enter "config log syslogd filter" or use "config log syslogd2|syslogd3|syslogd4 filter" if needed
myfortigate01 # config log syslogd filter
myfortigate01 (filter) # set severity information
myfortigate01 (filter) # set forward-traffic enable
myfortigate01 (filter) # set local-traffic enable
myfortigate01 (filter) # set multicast-traffic enable
myfortigate01 (filter) # set sniffer-traffic enable
myfortigate01 (filter) # set anomaly enable
myfortigate01 (filter) # set voip enable
myfortigate01 (filter) # end

Configure Syslog Event Filtering

The system event logs record management and device-specific activity events, such as configuration changes, admin log in, or high availability (HA) events. Ensure that all system event log categories are enabled.

Important

If your Fortigate device is utilizing multiple VDOMs, you must perform this step on each VDOM.

Note

The categories shown vary per FortiOS version. Enable all categories or we will not receive logs for that category. Reference the vendor's documentation for categories applicable to the config log eventfilter CLI command for your FortiOS version.


#"config vdom" and "edit (vdom_name) commands are only required when multiple VDOMs are enabled
myfortigate01 # config vdom
myfortigate01 # (vdom) # edit root
current vf=root:0
myfortigate01 (root) # config log eventfilter
myfortigate01 (eventfilter) # set event enable
myfortigate01 (eventfilter) # set system enable
myfortigate01 (eventfilter) # set vpn enable
myfortigate01 (eventfilter) # set user enable
myfortigate01 (eventfilter) # set router enable
myfortigate01 (eventfilter) # set wireless-activity enable
myfortigate01 (eventfilter) # set wan-opt enable
myfortigate01 (eventfilter) # set endpoint enable
myfortigate01 (eventfilter) # set ha enable
myfortigate01 (eventfilter) # set security-rating enable
myfortigate01 (eventfilter) # set fortiextender enable
myfortigate01 (eventfilter) # set connector enable
myfortigate01 (eventfilter) # end
myfortigate01 (root) # end
myfortigate01 #
#NOTE: Repeat preceding eventfilter steps for each VDOM

Configure Firewall Policies to Session-Start

In each policy, set logging to begin on session start. This allows Secureworks® Taegis™ XDR to correlate events from the beginning of a session.


#For each of the VDOMs in place, access each one of the policies
#Enter "config firewall policy"
swrx01uspvdfw04 (root) # config firewall policy
swrx01uspvdfw04 (root) # edit (id) #policy ID number
swrx01uspvdfw04 (root) # set logtraffic-start enable
swrx01uspvdfw04 (root) # end

Note

The "set logtraffic-start" setting should be enabled in any new policy.

Configure Firewall Policy Logging

To log network traffic traversing through the firewall, enable logging within each firewall policy rule.

Accept Traffic Logging Examples

CLI:


"config vdom" and "edit (vdom_name)" commands are only required when multiple VDOMs are enabled
myfortigate01 # config vdom
myfortigate01 # (vdom) # edit root
current vf=root:0
myfortigate01 (root) # config firewall policy
myfortigate01 (policy) # edit 1
myfortigate01 (1) # set logtraffic all
myfortigate01 (1) # end
NOTE: Repeat preceding steps for each Firewall Rule in each VDOM

Deny Traffic Logging Examples

CLI:


"config vdom" and "edit (vdom_name)" commands are only required when multiple VDOMs are enabled
myfortigate01 # config vdom
myfortigate01 # (vdom) # edit root
current vf=root:0
myfortigate01 (root) # config firewall policy
myfortigate01 (policy) # edit 2
myfortigate01 (2) # set logtraffic all
myfortigate01 (2) # end
NOTE: Repeat preceding steps for each Firewall Rule in each VDOM

 

On this page: