This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Fortinet FortiAnalyzer

    Samurai [Local] CollectorSamurai [Cloud] Collector
    Picture1.svg

    To complete this Integration you will need to:

    1) Ensure Connectivity Requirements are in place

    2) From the FortiAnalyzer

    3) From your Fortigate devices (if using Fortigate devices)

    4) From your FortiWeb devices (if using Fortiweb devices)

    5) From the Samurai MDR portal:

    Connectivity Requirements

    You must ensure the following connectivity requirements are available:

    SourceDestinationPortsDescription
    FortiAnalyzerSamurai Local CollectorUDP/514 (syslog)For log transmission
    Samurai Local CollectorFortiAnalyzerTCP/443 (https) default or your definitionOptional (based on optional configuration in this article)

    Create a reduced restricted profile

    Follow the steps outlined in the Fortinet documentation:

    Use the following parameters when completing the steps:

    Profile system settingsValue
    Profile NameWhatever you want, however we suggest ntt_restricted_user
    OptionsSet all options to None except Log View / FortiView which should be set to Read-Only

    Configure log forwarding

    Follow the steps outlined in the Fortinet documentation:

    Use the following required parameters when completing the steps:

    Log forward settingValue
    NameWhatever you want, however we suggest NTT_collector
    StatusOn
    Remote Server TypeSyslog
    Server AddressIP address of your collector
    Server Port514
    CompressionOff
    Reliable ConnectionOff
    Sending FrequencyReal-time
    Device FiltersClick Select Device, then select the devices whose logs will be forwarded (Note: you may have to come back to this if you are not sending logs from your Fortigate devices yet!)
    Log filtersOff
    Enable exclusionsOff
    Enable MaskingOff

    Create a new administrator

    Follow the steps outlined in the Fortinet documentation:

    Use the following parameters when completing the steps:

    Administrator accountValue
    User NameWhatever you want, however we suggest ntt_user
    Description / CommentsWhatever you want
    Admin TypeLOCAL
    PasswordEnter a secure password, you will need this later for the integration
    Admin ProfileSelect the profile from the the previous step, we recommended ntt_restricted_user
    Administrative DomainSelect based on your setup or use the default option, All ADOMS
    JSON API AccessRead
    Trusted Hosts (optional)You can optionally restrict this account to the IP address of your Collector

    Enable FortiGate to send logs and PCAP to FortiAnalyzer

    All FortiGate devices in scope must be connected to the FortiAnalyzer to send logs and PCAP.

    Follow the steps outlined in the Fortinet documentation:

    Use the following required parameters when completing the steps:

    Remote Logging and ArchivingValue
    Send logs to FortiAnalyzer/FortiManagerEnable
    ServerIP address for your FortiAnalyzer
    Upload optionReal Time

    Disk backed log buffer is recommended on Fortigates with an SSD disk. 

    Follow the steps outlined in the Fortinet documentation:

    Configure FortiAnalyzer policies for FortiWeb

    Follow the steps in the section entitled ‘Configuring FortiAnalyzer policies’ outlined in the Fortinet FortiWeb documentation:

    Complete the Fortinet FortiAnalyzer Integration

    1. Login to the Samurai MDR portal

    2. Click Telemetry and select Integrations from the main menu

    3. Click Create

    4. Find and select Fortinet FortiAnalyzer

    5. Select the relevant Local Collector and click Next

    6. Enter the following information

      • Name for the Integration - the name will appear in the Samurai MDR portal for you to easily reference
      • Description - optional but if completed will appear in the Samurai MDR portal for you to easily reference)
      • The Username and Password you created in Create a new administrator
      • Select Enable PCAP (only applicable to FortiGate devices) which was enabled in Enable FortiGate to send logs and PCAP to FortiAnalyzer
      • Hostname/IP - enter FortiAnalyzer hostname or IP address
      • Port (Optional) - if you have changed the default port enter the port number, if not, we default to 443
      • adom (optional) - if not specified we default to “root”
    7. Click on Finish

    Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.