Configuring FortiGate Security Gateway to forward events
To forward Fortinet FortiGate Security Gateway events to Chronicle, you must configure a syslog
- Log in to the command line on your Fortinet FortiGate Security Gateway appliance.
- Type the following commands, in order, replacing the variables with values that suit your environment.
- Firewall - Forti:
sh full-configuration | grep -f syslogd
config log syslogd2 setting <---
set status enable
set server "xx.xx.xx.xx" – (Forwarder IP)
set mode udp
set port 11588 (Note: This port needs to be verified with Netenrich Support)
set facility local6
set source-ip "xx.xx.xx.xx" – (Firewall IP)
example: set facility syslog
Note: If you set the value of reliable as enable, it sends as TCP; if you set the value of reliable as disable, it sends as UDP.
Configuring a syslog through GUI
- Login through existing server and browse with the Firewall IP.
- Enable syslog configuration as shown below.
- Go to log&report->log settings -> follow as shown in below snip.
- Enable send logs to syslog -> provide shipper IP.
- Ensure log settings should be All, as shown below.
- Enable log level to All (Do not set to Disable & UTM) under firewall policy.
- Ensure Implicit deny should also be in enable state.
- Below are the screen shots for reference.
- Once we are done with syslog configuration and policy changes.
- Open command line as shown in below snip and type below command.
- Show full-configuration | grep -f syslogd
- Set source IP & Facility as shown in below snip.
- Enable resolve-ip for any fortigate device as shown in below snap
- Repeat the process for each device which needs to be onboarded to chronicle.
- Once the configuration is completed, need to validate the logs in chronicle using a regular expression as (".*") or with specific hostname, will provide the log source types which are ingesting to chronicle, below is the screen shot for reference.
The following are the logs that FortiGate sends to Chronicle.
<181>date=2023-07-05 time=20:00:00 devname="DEVICE-01" devid="FGTAZRGBGCMKCQE1" eventtime=1688612400560083706 tz="-0700" logid="0001000014" type="traffic" subtype="local" level="notice" vd="user" srcip=192.168.1.1 srcport=9312 srcintf="user" srcintfrole="undefined" dstip=0.0.0.0 dstport=32526 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="Hong Kong" sessionid=19241100 proto=6 action="close" policyid=0 service="tcp/32526" trandisp="noop" app="tcp/32526" duration=1 sentbyte=1308 rcvdbyte=344 sentpkt=7 rcvdpkt=4 appcat="unscanned"