Fortinet FortiEDR On-Premise
Samurai [Local] Collector | Samurai [Cloud] Collector |
---|---|
This guide describes the steps required to configure an On-Premise deployed Fortinet FortiEDR Central Manager for telemetry data ingestion to the Samurai platform.
Follow the steps below:
1) Ensure Connectivity Requirements are in place
2. From the FortiEDR Central Manager (On-Premise)
- Configure syslog to your local collector
- Create a user with a REST API role
- Additional information required
3. From the Samurai MDR portal
Connectivity Requirements
You must ensure the following connectivity requirements are available:
Source | Destination | Ports | Description |
---|---|---|---|
FortiEDR Central Manager (On-Premise) | Samurai Local Collector | UDP/514 (syslog) | For log transmission |
Samurai Local Collector | FortiEDR Central Manager (On-Premise) | TCP/443 (https) | Application Programming Interface (API) access |
Configure syslog to your local collector
Follow the steps outlined in the Fortinet documentation:
Use the following parameters when completing the steps:
Attribute | Parameter |
---|---|
Host | IP Address or Hostname of the Samurai Local Collector (if hostname is used it must resolve to the IP address) |
Port | 514 |
Protocol | UDP |
Format | CEF |
Notifications | Security Events (All) |
Create a user with a REST API role
Follow the Fortinet documentation:
When completing the steps use the following parameters:
Attribute | Parameter |
---|---|
Role | Read-Only |
Advanced | Rest-API (Checked) |
Two-Factor Authentication | Ensure it is disabled |
Additional information required
You will also need to provide additional information to complete the integration. This includes:
- Deployment URL: This is the URL utilized to access the On-Premise deployed FortiEDR Central Manager
- Example: https://IP address or Hostname (if hostname it must resolve to the IP address)
- Organization: This is the Organization name used when logging into the FortiEDR Central Manager (On-Premise)
Complete the Fortinet FortiEDR On-premise Integration
- Login to the Samurai MDR portal
- Click Telemetry and select Integrations from the main menu
- Select Create
- Locate and click Fortinet FortiEDR (on-prem)
- Click Next
- Select the relevant Local Collector and click Next
- Enter a Name of Integration
- Enter a Description (Optional)
- Enter your Local Deployment URL - example https://IP or hostname (if hostname is used, it must be resolveable and accessible from the local collector)
- Enter your Organization
- Enter your Username
- Enter your Password
- Select the Fallback timezone - this is the timezone to assume if no epoch field exists in the data. UTC and CET (for CET/CEST) supported.
- Click Finish
Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.