Skip to main content

Syslog - Fortinet FortiGate Firewall

Jason Phelps
  • Updated

TEAM: Huntress Managed Security Information and Event Management (SIEM)
PRODUCT: SIEM Syslog
ENVIRONMENT: Fortinet FortiGate
SUMMARY: Configuration Guide for Fortinet FortiGate firewalls (CEF format)

This page only covers the device-specific configuration, you'll still need to read Huntress Managed SIEM Syslog Guide to complete the Huntress Managed SIEM setup as well as opening a port in Microsoft Defender Firewall.

 

Vendor Information

Vendor

Fortinet

Supported Model Name/Number

FortiGate Firewall

Supported Software Version(s)

FortiOS 7.2.x, FortiOS 7.4.x, FortiOS 7.6.x

Collection Method

Syslog

Provider Name

Syslog-FortiGate 

Additional Information

7.6.3 Log Settings and Targets Documentation
Note: Select the version dropdown to change the page to your version of the documentation.

FortIOS CEF Formatted Message Guide

 

Please note that Huntress provides third party vendor instructions as a best effort to expedite onboarding. Vendor documentation and versions frequently change and so it may be necessary to find the appropriate documentation for syslog logging for your version of the vendor software or service.

CEF is the only format we currently support and parse. Our Smart Filtering capabilities will not work if the Syslog format is not set to CEF.

 

Please note the link in the Vendor Links above to the latest documentation at the time of this writing.

Device Configuration Checklist

Configure syslogd server config 

  1. Open FortiGate CLI (Command Line Interface) console through the GUI, SSH, or physical console port
  2. Log in with a valid administrator account
  3. Enter the following command to enter the syslogd config
    • config log syslogd setting
    • Note: Multiple syslogd configs are supported. If the primary is used for other purposes, adding a number (2,3,4) to syslogd designates other configs. Example: config log syslogd2 setting
  4. Enter the following commands to configure syslogd
    • set status enable
    • set format cef
    • set server <Internal IP of Huntress Agent>
  5. Exit and save config using the following command
    • end
  6. Verify the syslogd configuration with the following command:
    • show log syslogd setting

Please note that Huntress SIEM does not support FortiGates "reliable mode", TLS, or encrypted syslog messages!

Some commands below may return an error code similar to "return code -61". This is likely due to that particular feature not being enabled or licensed on your FortiGate device, and is okay to ignore. If you suspect this message was returned in error, please contact Fortinet support.

 

Configure the syslogd filter

  1. From the ForiGate CLI:
  2. Enter the following command to enter the syslogd filter config
    • config log syslogd filter
      1. Note: Add a number to “syslogd” to match the configuration used in Step 1.
  3. Enter the following commands to set the filter config
    • set severity information
    • set anomaly enable
    • set forward-traffic enable
    • set local-traffic enable
    • set multicast-traffic enable
    • set sniffer-traffic enable
    • set forti-switch disable
    • set gtp enable
    • set http-transaction enable
    • set voip disable
    • set ztna-traffic enable
  4. Exit and save the config
    • end
  5. Verify the syslogd filter configuration
    • show log syslogd filter
  6. Enable logging of CLI commands
    1. Enter the following command to enter the global config
      • config system global
    2. Enter the following command to enable CLI command logging
      • set cli-audit-log enable
    3. Exit and save the config
      • end

 

Example Log Messages

 

Traffic Log Message

Dec 27 11:07:55 FGT-A-LOG CEF: 0|Fortinet|Fortigate|v6.0.3|00013|traffic:forward close|3|deviceExternalId=FGT5HD3915800610 FTNTFGTlogid=0000000013 cat=traffic:forward FTNTFGTsubtype=forward FTNTFGTlevel=notice FTNTFGTvd=vdom1 FTNTFGTeventtime=1545937675 src=10.1.100.11 spt=54190 deviceInboundInterface=port12 FTNTFGTsrcintfrole=undefined dst=52.53.140.235 dpt=443 deviceOutboundInterface=port11 FTNTFGTdstintfrole=undefined FTNTFGTpoluuid=c2d460aa-fe6f-51e8-9505-41b5117dfdd4 externalId=402 proto=6 act=close FTNTFGTpolicyid=1 FTNTFGTpolicytype=policy app=HTTPS FTNTFGTdstcountry=United States FTNTFGTsrccountry=Reserved FTNTFGTtrandisp=snat sourceTranslatedAddress=172.16.200.1 sourceTranslatedPort=54190 FTNTFGTappid=40568 FTNTFGTapp=HTTPS.BROWSER FTNTFGTappcat=Web.Client FTNTFGTapprisk=medium FTNTFGTapplist=g-default FTNTFGTduration=2 out=3652 in=146668 FTNTFGTsentpkt=58 FTNTFGTrcvdpkt=105 FTNTFGTutmaction=allow FTNTFGTcountapp=2

 

Webfilter Log Message

Dec 27 11:23:49 FGT-A-LOG CEF: 0|Fortinet|Fortigate|v6.0.3|13056|utm:webfilter ftgd_blk blocked|4|deviceExternalId=FGT5HD3915800610 FTNTFGTlogid=0316013056 cat=utm:webfilter FTNTFGTsubtype=webfilter FTNTFGTeventtype=ftgd_blk FTNTFGTlevel=warning FTNTFGTvd=vdom1 FTNTFGTeventtime=1545938629 FTNTFGTpolicyid=1 externalId=764 duser=bob src=10.1.100.11 spt=59194 deviceInboundInterface=port12 FTNTFGTsrcintfrole=undefined dst=185.230.61.185 dpt=80 deviceOutboundInterface=port11 FTNTFGTdstintfrole=undefined proto=6 app=HTTP dhost=ambrishsriv.wixsite.com FTNTFGTprofile=g-default act=blocked FTNTFGTreqtype=direct request=/bizsquads out=96 in=0 deviceDirection=1 msg=URL belongs to a denied category in policy FTNTFGTmethod=domain FTNTFGTcat=26 requestContext=Malicious Websites FTNTFGTcrscore=60 FTNTFGTcrlevel=high

 

Related articles