Fortinet FortiEDR On-Premise

Samurai [Local] CollectorSamurai [Cloud] Collector
Picture1.svg

This guide describes the steps required to configure an On-Premise deployed Fortinet FortiEDR Central Manager for telemetry data ingestion to the Samurai platform.

Follow the steps below:

1) Ensure Connectivity Requirements are in place

2. From the FortiEDR Central Manager (On-Premise)

3. From the Samurai MDR portal

Connectivity Requirements

You must ensure the following connectivity requirements are available:

SourceDestinationPortsDescription
FortiEDR Central Manager (On-Premise)Samurai Local CollectorUDP/514 (syslog)For log transmission
Samurai Local CollectorFortiEDR Central Manager (On-Premise)TCP/443 (https)Application Programming Interface (API) access

Configure syslog to your local collector

Follow the steps outlined in the Fortinet documentation:

Use the following parameters when completing the steps:

AttributeParameter
HostIP Address or Hostname of the Samurai Local Collector (if hostname is used it must resolve to the IP address)
Port514
ProtocolUDP
FormatCEF
NotificationsSecurity Events (All)

Create a user with a REST API role

Follow the Fortinet documentation:

When completing the steps use the following parameters:

AttributeParameter
RoleRead-Only
AdvancedRest-API (Checked)
Two-Factor AuthenticationEnsure it is disabled

Additional information required

You will also need to provide additional information to complete the integration. This includes:

  • Deployment URL: This is the URL utilized to access the On-Premise deployed FortiEDR Central Manager
    • Example: https://IP address or Hostname (if hostname it must resolve to the IP address)
  • Organization: This is the Organization name used when logging into the FortiEDR Central Manager (On-Premise)

Complete the Fortinet FortiEDR On-premise Integration

  1. Login to the Samurai MDR portal
  2. Click Telemetry and select Integrations from the main menu
  3. Select Create
  4. Locate and click Fortinet FortiEDR (on-prem) 
  5. Click Next
  6. Select the relevant Local Collector and click Next
  7. Enter a Name of Integration
  8. Enter a Description (Optional)
  9. Enter your Local Deployment URL - example https://IP or hostname (if hostname is used, it must be resolveable and accessible from the local collector)
  10. Enter your Organization
  11. Enter your Username
  12. Enter your Password
  13. Select the Fallback timezone - this is the timezone to assume if no epoch field exists in the data. UTC and CET (for CET/CEST) supported.
  14. Click Finish

Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.