Skip to main content

Syslog - Fortinet FortiGate Firewall

Jason Phelps
  • Updated

TEAM: Huntress Managed Security Information and Event Management (SIEM)
PRODUCT: SIEM Syslog
ENVIRONMENT: Fortinet FortiGate
SUMMARY: Configuration Guide for Fortinet FortiGate firewalls (CEF format)

This page only covers the device-specific configuration, you'll still need to read Huntress Managed SIEM Syslog Guide to complete the Huntress Managed SIEM setup as well as opening a port in Microsoft Defender Firewall.

Vendor Information

Vendor

Fortinet

Supported Model Name/Number

FortiGate Firewall

Supported Software Version(s)

FortiOS 7.2.x, FortiOS 7.4.x, FortiOS 7.6.x

Collection Method

Syslog

Provider Name

Syslog-FortiGate 

Additional Information

https://docs.fortinet.com/product/fortigate/7.6

https://docs.fortinet.com/document/fortigate/7.6.0/fortios-log-message-reference/524940/introduction

 

Device Configuration Checklist

    1. Configure syslogd (syslog daemon) server config on firewall through CLI (Command Line Interface)

      1. Open CLI console through the GUI, SSH, or physical console port

      2. Log in with a valid administrator account

      3. Enter the following command to enter the syslogd config

        • config log syslogd setting

        • Note: Multiple syslogd configs are supported. If the primary is used for other purposes, adding a number (2,3,4) to syslogd designates other configs. Example: config log syslogd2 setting

      4. Enter the following commands to configure syslogd

        • set status enable

        • set format cef

        • set server <IP of Huntress Agent>

      5. Exit and save config using the following command

        • End

      6. Verify the syslogd configuration with the following command:

        • show log syslogd setting

Some commands below may return an error code similar to "return code -61". This is likely due to that particular feature not being enabled or licensed on your FortiGate device, and is okay to ignore. If you suspect this message was returned in error, please contact Fortinet support.

  1. Configure the syslogd filter

    1. Enter the following command to enter the syslogd filter config

      • config log syslogd filter

        1. Note: Add a number to “syslogd” to match the configuration used in Step 1.

    2. Enter the following commands to set the filter config

      • set severity information
      • set anomaly enable
      • set forward-traffic enable
      • set local-traffic enable
      • set multicast-traffic enable
      • set sniffer-traffic enable
      • set forti-switch disable
      • set gtp enable
      • set http-transaction enable
      • set voip disable
      • set ztna-traffic enable

    3. Exit and save the config

      • End

    4. Verify the syslogd filter configuration

      • show log syslogd filter

  2. Enable logging of CLI commands

    1. Enter the following command to enter the global config

      • config system global

    2. Enter the following command to enable CLI command logging

      • set cli-audit-log enable

    3. Exit and save the config

      • End

 

Example Log Messages

 

Traffic Log Message

Dec 27 11:07:55 FGT-A-LOG CEF: 0|Fortinet|Fortigate|v6.0.3|00013|traffic:forward close|3|deviceExternalId=FGT5HD3915800610 FTNTFGTlogid=0000000013 cat=traffic:forward FTNTFGTsubtype=forward FTNTFGTlevel=notice FTNTFGTvd=vdom1 FTNTFGTeventtime=1545937675 src=10.1.100.11 spt=54190 deviceInboundInterface=port12 FTNTFGTsrcintfrole=undefined dst=52.53.140.235 dpt=443 deviceOutboundInterface=port11 FTNTFGTdstintfrole=undefined FTNTFGTpoluuid=c2d460aa-fe6f-51e8-9505-41b5117dfdd4 externalId=402 proto=6 act=close FTNTFGTpolicyid=1 FTNTFGTpolicytype=policy app=HTTPS FTNTFGTdstcountry=United States FTNTFGTsrccountry=Reserved FTNTFGTtrandisp=snat sourceTranslatedAddress=172.16.200.1 sourceTranslatedPort=54190 FTNTFGTappid=40568 FTNTFGTapp=HTTPS.BROWSER FTNTFGTappcat=Web.Client FTNTFGTapprisk=medium FTNTFGTapplist=g-default FTNTFGTduration=2 out=3652 in=146668 FTNTFGTsentpkt=58 FTNTFGTrcvdpkt=105 FTNTFGTutmaction=allow FTNTFGTcountapp=2

 

Webfilter Log Message

Dec 27 11:23:49 FGT-A-LOG CEF: 0|Fortinet|Fortigate|v6.0.3|13056|utm:webfilter ftgd_blk blocked|4|deviceExternalId=FGT5HD3915800610 FTNTFGTlogid=0316013056 cat=utm:webfilter FTNTFGTsubtype=webfilter FTNTFGTeventtype=ftgd_blk FTNTFGTlevel=warning FTNTFGTvd=vdom1 FTNTFGTeventtime=1545938629 FTNTFGTpolicyid=1 externalId=764 duser=bob src=10.1.100.11 spt=59194 deviceInboundInterface=port12 FTNTFGTsrcintfrole=undefined dst=185.230.61.185 dpt=80 deviceOutboundInterface=port11 FTNTFGTdstintfrole=undefined proto=6 app=HTTP dhost=ambrishsriv.wixsite.com FTNTFGTprofile=g-default act=blocked FTNTFGTreqtype=direct request=/bizsquads out=96 in=0 deviceDirection=1 msg=URL belongs to a denied category in policy FTNTFGTmethod=domain FTNTFGTcat=26 requestContext=Malicious Websites FTNTFGTcrscore=60 FTNTFGTcrlevel=high

 

Related articles