Fortinet FortiAnalyzer
Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.
| Product | Samurai [Local] Collector | Samurai [Cloud] Collector |
|---|---|---|
| Fortinet FortiAnalyzer (physical/virtual only) |  |
To complete this Integration you will need to:
1) Ensure Connectivity Requirements are in place
2) From the FortiAnalyzer
3) From your Fortigate devices (if using Fortigate devices)
4) From your FortiWeb devices (if using Fortiweb devices)
5) From the Samurai application:
Connectivity Requirements
You must ensure the following connectivity requirements are available:
| Source | Destination | Ports | Description |
|---|---|---|---|
| FortiAnalyzer | Samurai Local Collector | UDP/514 (syslog) | For log transmission |
| Samurai Local Collector | FortiAnalyzer | TCP/443 (https) default or your definition | Optional (based on optional configuration in this article) |
Create a reduced restricted profile
Follow the steps outlined in the Fortinet documentation:
Select Administrator Profiles to read more about Fortinet profiles (v7.x)
Use the following parameters when completing the steps:
| Profile system settings | Value |
|---|---|
| Profile Name | Whatever you want, however we suggest ntt_restricted_user |
| Options | Set all options to None except Log View / FortiView which should be set to Read-Only |
Configure log forwarding
Follow the steps outlined in the Fortinet documentation:
Use the following required parameters when completing the steps:
| Log forward setting | Value |
|---|---|
| Name | Whatever you want, however we suggest NTT_collector |
| Status | On |
| Remote Server Type | Syslog |
| Server Address | IP address of your collector |
| Server Port | 514 |
| Compression | Off |
| Reliable Connection | Off |
| Sending Frequency | Real-time |
| Device Filters | Click Select Device, then select the devices whose logs will be forwarded (Note: you may have to come back to this if you are not sending logs from your Fortigate devices yet!) |
| Log filters | Off |
| Enable exclusions | Off |
| Enable Masking | Off |
Create a new administrator
Follow the steps outlined in the Fortinet documentation:
Use the following parameters when completing the steps:
| Administrator account | Value |
|---|---|
| User Name | Whatever you want, however we suggest ntt_user |
| Description / Comments | Whatever you want |
| Admin Type | LOCAL |
| Password | Enter a secure password, you will need this later for the integration |
| Admin Profile | Select the profile from the the previous step, we recommended ntt_restricted_user |
| Administrative Domain | Select based on your setup or use the default option, All ADOMS |
| JSON API Access | Read |
| Trusted Hosts (optional) | You can optionally restrict this account to the IP address of your Collector |
Enable FortiGate to send logs and PCAP to FortiAnalyzer
All FortiGate devices in scope must be connected to the FortiAnalyzer to send logs and PCAP.
Follow the steps outlined in the Fortinet documentation:
Use the following required parameters when completing the steps:
| Remote Logging and Archiving | Value |
|---|---|
| Send logs to FortiAnalyzer/FortiManager | Enable |
| Server | IP address for your FortiAnalyzer |
| Upload option | Real Time |
If this is the first time remote logging is configured and the FortiGate device was not previously added to FortiAnalyzer, the device needs to be authorized under FortiAnalyzer Device Manger to be able to upload its logs. Perform this on the FortiAnalyzer
Disk backed log buffer is recommended on Fortigates with an SSD disk.
Follow the steps outlined in the Fortinet documentation:
Configure FortiAnalyzer policies for FortiWeb
Follow the steps in the section entitled ‘Configuring FortiAnalyzer policies’ outlined in the Fortinet FortiWeb documentation:
Complete the Fortinet FortiAnalyzer Integration
Login to the Samurai MDR web application
Click Integrations from the main menu
Click Create
Find and select Fortinet FortiAnalyzer
Select the relevant Local Collector and click Next
Enter the following information
- Name for the Integration - the name will appear in the Samurai application for you to easily reference
- Description - optional but if completed will appear in the Samurai application for you to easily reference)
- The Username and Password you created in Create a new administrator
- Select Enable PCAP (only applicable to FortiGate devices) which was enabled in Enable FortiGate to send logs and PCAP to FortiAnalyzer
- Hostname/IP - enter FortiAnalyzer hostname or IP address
- ***Port (Optional) -***if you have changed the default port enter the port number, if not, we default to 443
- adom (optional) - if not specified we default to “root”
Click on Finish
For general information on Integrations refer to the Integrations article.