Fortinet FortiAnalyzer

Samurai [Local] CollectorSamurai [Cloud] Collector
Picture1.svg

To complete this Integration you will need to:

1) Ensure Connectivity Requirements are in place

2) From the FortiAnalyzer

3) From your Fortigate devices (if using Fortigate devices)

4) From your FortiWeb devices (if using Fortiweb devices)

5) From the Samurai MDR portal:

Connectivity Requirements

You must ensure the following connectivity requirements are available:

SourceDestinationPortsDescription
FortiAnalyzerSamurai Local CollectorUDP/514 (syslog)For log transmission
Samurai Local CollectorFortiAnalyzerTCP/443 (https) default or your definitionOptional (based on optional configuration in this article)

Create a reduced restricted profile

Follow the steps outlined in the Fortinet documentation:

Use the following parameters when completing the steps:

Profile system settingsValue
Profile NameWhatever you want, however we suggest ntt_restricted_user
OptionsSet all options to None except Log View / FortiView which should be set to Read-Only

Configure log forwarding

Follow the steps outlined in the Fortinet documentation:

Use the following required parameters when completing the steps:

Log forward settingValue
NameWhatever you want, however we suggest NTT_collector
StatusOn
Remote Server TypeSyslog
Server AddressIP address of your collector
Server Port514
CompressionOff
Reliable ConnectionOff
Sending FrequencyReal-time
Device FiltersClick Select Device, then select the devices whose logs will be forwarded (Note: you may have to come back to this if you are not sending logs from your Fortigate devices yet!)
Log filtersOff
Enable exclusionsOff
Enable MaskingOff

Create a new administrator

Follow the steps outlined in the Fortinet documentation:

Use the following parameters when completing the steps:

Administrator accountValue
User NameWhatever you want, however we suggest ntt_user
Description / CommentsWhatever you want
Admin TypeLOCAL
PasswordEnter a secure password, you will need this later for the integration
Admin ProfileSelect the profile from the the previous step, we recommended ntt_restricted_user
Administrative DomainSelect based on your setup or use the default option, All ADOMS
JSON API AccessRead
Trusted Hosts (optional)You can optionally restrict this account to the IP address of your Collector

Enable FortiGate to send logs and PCAP to FortiAnalyzer

All FortiGate devices in scope must be connected to the FortiAnalyzer to send logs and PCAP.

Follow the steps outlined in the Fortinet documentation:

Use the following required parameters when completing the steps:

Remote Logging and ArchivingValue
Send logs to FortiAnalyzer/FortiManagerEnable
ServerIP address for your FortiAnalyzer
Upload optionReal Time

Disk backed log buffer is recommended on Fortigates with an SSD disk. 

Follow the steps outlined in the Fortinet documentation:

Configure FortiAnalyzer policies for FortiWeb

Follow the steps in the section entitled ‘Configuring FortiAnalyzer policies’ outlined in the Fortinet FortiWeb documentation:

Complete the Fortinet FortiAnalyzer Integration

  1. Login to the Samurai MDR portal

  2. Click Telemetry and select Integrations from the main menu

  3. Click Create

  4. Find and select Fortinet FortiAnalyzer

  5. Select the relevant Local Collector and click Next

  6. Enter the following information

    • Name for the Integration - the name will appear in the Samurai MDR portal for you to easily reference
    • Description - optional but if completed will appear in the Samurai MDR portal for you to easily reference)
    • The Username and Password you created in Create a new administrator
    • Select Enable PCAP (only applicable to FortiGate devices) which was enabled in Enable FortiGate to send logs and PCAP to FortiAnalyzer
    • Hostname/IP - enter FortiAnalyzer hostname or IP address
    • Port (Optional) - if you have changed the default port enter the port number, if not, we default to 443
    • adom (optional) - if not specified we default to “root”
  7. Click on Finish

Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.