About The Device
FortiGate combines a number of security features to protect your network from threats. As a whole, these features, when included in a single Fortinet security appliance, are referred to as Unified Threat Management (UTM).
Device Information
Entity | Particulars |
---|---|
Vendor Name | Fortinet |
Product Name | Next-Generation Firewall (NGFW) |
Type of Device | OnPrem |
Collection Method
Ingestion label | Preferred Logging Protocol | Log Collection Method |
---|---|---|
FORTINET_FIREWALL | Syslog | CyberHub |
Port Requirements
Source | Destination | Port |
---|---|---|
Fortinet NGFW | CyberHub | 601 (TCP) |
Fortianalyzer | CyberHub | 514 (UDP) |
Device Configuration
To configure Fortigate to send logs to CyberHub
Log in to FortiGateUTM.
Log in to Command Line Interface, and enter the following commands:
To enable the extended logs, enter the following commands (This is applicable to FortiGate v5.0 and it is optional configuration):
config log syslogd setting set status enable Users who have configuring syslogd for the first time must enable the status for enabling syslogd, else this step is not needed. set facility <local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7> It is recommended to use facility from local0 to local7 for informational log. Set port 601 set reliable enable set server <ip_address of CyberHub/FortiAnalyzer> end Config antivirus profile Edit default Set extended-utm-log enable end Config application Edit default Set extended-utm-log enable end Config webfilter Edit default Set extended-utm-log enable end Config spamfilter Edit default Set extended-utm-log enable end Config dlp Edit default Set extended-utm-log enable end Config ips Edit default Set extended-utm-log enable end
To configure FortiAnalyzer to send logs to CyberHub
Run the following commands:
config system aggregation-client edit 1 set mode realtime [Note: #mode is set to realtime, so that the realtime events can be forwarded to the CyberHub] set fwd-remote-server syslog [Note: #Real time syslog traffic is configured to forward to a remote server] set server-ip <CyberHub IP> [Note: #CyberHub IP has to be given here] set server-name <"name "> [Note: #The name of the CyberHub server , its user defined>] set server-port <server port : 514> next end
Integration Parameters
Parameters required from customer for Integration.
Property | Default Value | Description |
---|---|---|
IP Address | Fortinet interface IP address | List of logging device IP address / Hostname details shared in the Techstack. Note: If the device sends logs using multiple interfaces, contact the onboarding team. |