Fortinet FortiEDR On-Premise

Samurai [Local] Collector	Samurai [Cloud] Collector

This guide describes the steps required to configure an On-Premise deployed Fortinet FortiEDR Central Manager for telemetry data ingestion to the Samurai platform.

Follow the steps below:

1) Ensure Connectivity Requirements are in place

Connectivity Requirements

2. From the FortiEDR Central Manager (On-Premise)

Configure syslog to your local collector
Create a user with a REST API role
Additional information required

3. From the Samurai MDR portal

Complete the Fortinet FortiEDR On-premise Integration

Connectivity Requirements

You must ensure the following connectivity requirements are available:

Source	Destination	Ports	Description
FortiEDR Central Manager (On-Premise)	Samurai Local Collector	UDP/514 (syslog)	For log transmission
Samurai Local Collector	FortiEDR Central Manager (On-Premise)	TCP/443 (https)	Application Programming Interface (API) access

Configure syslog to your local collector

Follow the steps outlined in the Fortinet documentation:

Syslog

Use the following parameters when completing the steps:

Default settings should be used unless otherwise specified in the listed parameters

Attribute	Parameter
Host	IP Address or Hostname of the Samurai Local Collector (if hostname is used it must resolve to the IP address)
Port	514
Protocol	UDP
Format	CEF
Notifications	Security Events (All)

Create a user with a REST API role

Follow the Fortinet documentation:

To add a user

When completing the steps use the following parameters:

Attribute	Parameter
Role	Read-Only
Advanced	Rest-API (Checked)
Two-Factor Authentication	Ensure it is disabled

Once you have created the user, you must use the credentials to login to the FortiEDR Central Manager (On-Premise) and change the password before proceeding, this is due to Fortinet forcing a password reset upon first login.

Additional information required

You will also need to provide additional information to complete the integration. This includes:

Deployment URL: This is the URL utilized to access the On-Premise deployed FortiEDR Central Manager
- Example: https://IP address or Hostname (if hostname it must resolve to the IP address)
Organization: This is the Organization name used when logging into the FortiEDR Central Manager (On-Premise)

Complete the Fortinet FortiEDR On-premise Integration

Login to the Samurai MDR portal
Click Telemetry and select Integrations from the main menu
Select Create
Locate and click Fortinet FortiEDR (on-prem)
Click Next
Select the relevant Local Collector and click Next
Enter a Name of Integration
Enter a Description (Optional)
Enter your Local Deployment URL - example https://IP or hostname (if hostname is used, it must be resolveable and accessible from the local collector)
Enter your Organization
Enter your Username
Enter your Password
Select the Fallback timezone - this is the timezone to assume if no epoch field exists in the data. UTC and CET (for CET/CEST) supported.
Click Finish

Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.