TEAM: Huntress Managed Security Information and Event Management (SIEM)
PRODUCT: SIEM Syslog
ENVIRONMENT: Fortinet FortiGate
SUMMARY: Configuration Guide for Fortinet FortiGate firewalls (CEF format)
This page only covers the device-specific configuration, you'll still need to read Huntress Managed SIEM Syslog Guide to complete the Huntress Managed SIEM setup as well as opening a port in Microsoft Defender Firewall.
Vendor Information
Vendor |
Fortinet |
---|---|
Supported Model Name/Number |
FortiGate Firewall |
Supported Software Version(s) |
FortiOS 7.2.x, FortiOS 7.4.x, FortiOS 7.6.x |
Collection Method |
Syslog |
Provider Name |
Syslog-FortiGate |
Additional Information |
https://docs.fortinet.com/product/fortigate/7.6 https://docs.fortinet.com/document/fortigate/7.6.0/fortios-log-message-reference/524940/introduction |
Device Configuration Checklist
-
Configure syslogd (syslog daemon) server config on firewall through CLI (Command Line Interface)
-
Open CLI console through the GUI, SSH, or physical console port
-
Log in with a valid administrator account
-
Enter the following command to enter the syslogd config
-
config log syslogd setting
-
Note: Multiple syslogd configs are supported. If the primary is used for other purposes, adding a number (2,3,4) to syslogd designates other configs. Example:
config log syslogd2 setting
-
-
Enter the following commands to configure syslogd
-
set status enable
-
set format cef
-
set server <IP of Huntress Agent>
-
-
Exit and save config using the following command
-
End
-
-
Verify the syslogd configuration with the following command:
-
show log syslogd setting
-
-
Some commands below may return an error code similar to "return code -61". This is likely due to that particular feature not being enabled or licensed on your FortiGate device, and is okay to ignore. If you suspect this message was returned in error, please contact Fortinet support.
-
Configure the syslogd filter
-
Enter the following command to enter the syslogd filter config
-
config log syslogd filter
-
Note: Add a number to “syslogd” to match the configuration used in Step 1.
-
-
-
Enter the following commands to set the filter config
set severity information
set anomaly enable
set forward-traffic enable
set local-traffic enable
set multicast-traffic enable
set sniffer-traffic enable
set forti-switch disable
set gtp enable
set http-transaction enable
set voip disable
set ztna-traffic enable
-
Exit and save the config
End
-
Verify the syslogd filter configuration
-
show log syslogd filter
-
-
-
Enable logging of CLI commands
-
Enter the following command to enter the global config
-
config system global
-
-
Enter the following command to enable CLI command logging
-
set cli-audit-log enable
-
-
Exit and save the config
End
-
Example Log Messages
Traffic Log Message
Dec 27 11:07:55 FGT-A-LOG CEF: 0|Fortinet|Fortigate|v6.0.3|00013|traffic:forward close|3|deviceExternalId=FGT5HD3915800610 FTNTFGTlogid=0000000013 cat=traffic:forward FTNTFGTsubtype=forward FTNTFGTlevel=notice FTNTFGTvd=vdom1 FTNTFGTeventtime=1545937675 src=10.1.100.11 spt=54190 deviceInboundInterface=port12 FTNTFGTsrcintfrole=undefined dst=52.53.140.235 dpt=443 deviceOutboundInterface=port11 FTNTFGTdstintfrole=undefined FTNTFGTpoluuid=c2d460aa-fe6f-51e8-9505-41b5117dfdd4 externalId=402 proto=6 act=close FTNTFGTpolicyid=1 FTNTFGTpolicytype=policy app=HTTPS FTNTFGTdstcountry=United States FTNTFGTsrccountry=Reserved FTNTFGTtrandisp=snat sourceTranslatedAddress=172.16.200.1 sourceTranslatedPort=54190 FTNTFGTappid=40568 FTNTFGTapp=HTTPS.BROWSER FTNTFGTappcat=Web.Client FTNTFGTapprisk=medium FTNTFGTapplist=g-default FTNTFGTduration=2 out=3652 in=146668 FTNTFGTsentpkt=58 FTNTFGTrcvdpkt=105 FTNTFGTutmaction=allow FTNTFGTcountapp=2
Webfilter Log Message
Dec 27 11:23:49 FGT-A-LOG CEF: 0|Fortinet|Fortigate|v6.0.3|13056|utm:webfilter ftgd_blk blocked|4|deviceExternalId=FGT5HD3915800610 FTNTFGTlogid=0316013056 cat=utm:webfilter FTNTFGTsubtype=webfilter FTNTFGTeventtype=ftgd_blk FTNTFGTlevel=warning FTNTFGTvd=vdom1 FTNTFGTeventtime=1545938629 FTNTFGTpolicyid=1 externalId=764 duser=bob src=10.1.100.11 spt=59194 deviceInboundInterface=port12 FTNTFGTsrcintfrole=undefined dst=185.230.61.185 dpt=80 deviceOutboundInterface=port11 FTNTFGTdstintfrole=undefined proto=6 app=HTTP dhost=ambrishsriv.wixsite.com FTNTFGTprofile=g-default act=blocked FTNTFGTreqtype=direct request=/bizsquads out=96 in=0 deviceDirection=1 msg=URL belongs to a denied category in policy FTNTFGTmethod=domain FTNTFGTcat=26 requestContext=Malicious Websites FTNTFGTcrscore=60 FTNTFGTcrlevel=high