TEAM: Huntress SIEM
PRODUCT: Huntress Managed SIEM
ENVIRONMENT: Syslog
SUMMARY: Device Configuration Guide for Fortinet FortiGate firewalls
Device Configuration Checklist
Vendor Information
Vendor |
Fortinet |
---|---|
Supported Model Name/Number |
FortiGate Firewall |
Supported Software Version(s) |
FortiOS 7.2.x, FortiOS 7.4.x, FortiOS 7.6.x |
Collection Method |
Syslog |
Provider Name |
Syslog-FortiGate |
Additional Information |
https://docs.fortinet.com/product/fortigate/7.6 https://docs.fortinet.com/document/fortigate/7.6.0/fortios-log-message-reference/524940/introduction |
Device Configuration Checklist
-
Configure syslogd server config on firewall through CLI
-
Open CLI console through the GUI, via SSH, or physical console port
-
Log in with a valid administrator account
-
Enter the following command to enter the syslogd config
-
config log syslogd setting
-
Note: Multiple syslogd configs are supported. If the primary is used for other purposes, adding a number (2,3,4) to syslogd designates other configs. Example:
config log syslogd2 setting
-
-
Enter the following commands to configure syslogd
-
set format cef
-
set server <IP of Huntress Agent>
-
set status enable
-
-
Exit and save config using the following command
-
End
-
-
Verify the syslogd configuration with the following command:
-
show log syslogd setting
-
-
-
Configure the syslogd filter
-
Enter the following command to enter the syslogd filter config
-
config log syslogd filter
-
Note: Add a number to “syslogd” to match the configuration used in Step 1.
-
-
-
Enter the following commands to set the filter config
set severity information
set anomaly enable
set forward-traffic enable
set local-traffic enable
set multicast-traffic enable
set sniffer-traffic enable
set forti-switch disable
set gtp enable
set http-transaction enable
set voip disable
set ztna-traffic enable
-
Exit and save the config
End
-
Verify the syslogd filter configuration
-
show log syslogd filter
-
-
Example Log Messages
Traffic Log Message
Dec 27 11:07:55 FGT-A-LOG CEF: 0|Fortinet|Fortigate|v6.0.3|00013|traffic:forward close|3|deviceExternalId=FGT5HD3915800610 FTNTFGTlogid=0000000013 cat=traffic:forward FTNTFGTsubtype=forward FTNTFGTlevel=notice FTNTFGTvd=vdom1 FTNTFGTeventtime=1545937675 src=10.1.100.11 spt=54190 deviceInboundInterface=port12 FTNTFGTsrcintfrole=undefined dst=52.53.140.235 dpt=443 deviceOutboundInterface=port11 FTNTFGTdstintfrole=undefined FTNTFGTpoluuid=c2d460aa-fe6f-51e8-9505-41b5117dfdd4 externalId=402 proto=6 act=close FTNTFGTpolicyid=1 FTNTFGTpolicytype=policy app=HTTPS FTNTFGTdstcountry=United States FTNTFGTsrccountry=Reserved FTNTFGTtrandisp=snat sourceTranslatedAddress=172.16.200.1 sourceTranslatedPort=54190 FTNTFGTappid=40568 FTNTFGTapp=HTTPS.BROWSER FTNTFGTappcat=Web.Client FTNTFGTapprisk=medium FTNTFGTapplist=g-default FTNTFGTduration=2 out=3652 in=146668 FTNTFGTsentpkt=58 FTNTFGTrcvdpkt=105 FTNTFGTutmaction=allow FTNTFGTcountapp=2
Webfilter Log Message
Dec 27 11:23:49 FGT-A-LOG CEF: 0|Fortinet|Fortigate|v6.0.3|13056|utm:webfilter ftgd_blk blocked|4|deviceExternalId=FGT5HD3915800610 FTNTFGTlogid=0316013056 cat=utm:webfilter FTNTFGTsubtype=webfilter FTNTFGTeventtype=ftgd_blk FTNTFGTlevel=warning FTNTFGTvd=vdom1 FTNTFGTeventtime=1545938629 FTNTFGTpolicyid=1 externalId=764 duser=bob src=10.1.100.11 spt=59194 deviceInboundInterface=port12 FTNTFGTsrcintfrole=undefined dst=185.230.61.185 dpt=80 deviceOutboundInterface=port11 FTNTFGTdstintfrole=undefined proto=6 app=HTTP dhost=ambrishsriv.wixsite.com FTNTFGTprofile=g-default act=blocked FTNTFGTreqtype=direct request=/bizsquads out=96 in=0 deviceDirection=1 msg=URL belongs to a denied category in policy FTNTFGTmethod=domain FTNTFGTcat=26 requestContext=Malicious Websites FTNTFGTcrscore=60 FTNTFGTcrlevel=high
Comments
0 comments
Article is closed for comments.