Fortinet FortiGate Next-Generation Firewall

Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.

Product	Samurai [Local] Collector	Samurai [Cloud] Collector
Fortinet FortiGate Next-Generation Firewall

1)Ensure Connectivity Requirements are in place

Connectivity Requirements

2) From FortiGate Next-Generation Firewall console:

Configure Syslog Forwarding Settings
Configure Log Settings for Each Security Features
Configure IPS Packet Logging
Configure the Storage Settings
Configure API Access Permission and Create API Key

3) If you have configured the options above, from the Samurai application:

Complete the Fortinet FortiGate Next-Generation Firewall Integration

CLI commands may depend on Forti OS version. Refer to the relevant Fortinet documentation if needed.

This guide assumes that you are not using the VDOM feature.

Connectivity Requirements

You must ensure the following connectivity requirements are available:

Source	Destination	Ports	Description
FortiGate NGFW	Samurai Local Collector	UDP/514 (syslog)	For log transmission
Samurai Local Collector	FortiGate NGFW	TCP/443 (https) default or your definition	Optional (based on optional configuration in this article)

Configure Syslog Forwarding Settings

Execute the CLI commands outlined in the FortiGate Next Generation Firewall documentation.

config log syslogd4 setting

config log syslogd4 setting
   set status enable  
   set server [IP address of your Samurai Collector]
   set mode udp
   set port 514
   unset source-ip
   set format default
end

config log syslogd4 filter

config log syslogd4 filter
   set filter [see table 1]
   set filter-type include  
end

The following table shows the value indicating the send log for each security function.

Security Features	Value indicating the send log (One line each; no separator)
IPS/IDS Features	“ips-level(information)”
IPS/IDS and AntiVirus Features	“ips-level(information)virus-level(information)”
IPS/IDS and AntiVirus Features and Web Filter Features	“ips-level(information)virus-level(information)webfilter-level(information)”

Table 1: Security Features Logs To Be Sent

Configure Log Settings for Each Security Features

Execute the CLI commands outlined in the FortiGate Next Generation Firewall documentation.

config firewall policy

config firewall policy
   edit [Policy ID]
       ...
   set logtraffic [utm or all]
   set logtraffic-start disable
       ...
   next
end

config antivirus profile

config antivirus profile   edit [Profile Name]      ...      set extended-log enable      ...   nextend

config webfilter profile

config webfilter profile
   edit [Profile Name]
      ...
    set log-all-url disable
    set web-content-log enable
    set web-filter-activex-log enable
    set web-filter-command-block-log enable
    set web-filter-cookie-log enable
    set web-filter-applet-log enable
    set web-filter-jscript-log enable
    set web-filter-js-log enable
    set web-filter-vbs-log enable
    set web-filter-unknown-log enable
    set web-filter-refere-log enable
    set web-filter-cookie-removal-log enable
    set web-url-log enable
    set web-invalid-domain-log enable
    set web-ftgd-err-log enable
    set web-ftgd-quota-usage enable
    set extended-log enable
    set web-extended-all-action-log enable
   next  
end

config ips sensor

config ips sensor
   edit [Sensor Name]
      ...
     set extended-log enable
        config entries
           edit [ID]
           set location all
           set severity info low
           set protocol all
           set os all
           set application all
           set status [enable or default]
            (please refer to the table below)
           set log enable
           set log-packet disable
           set log-attack-context disable
           set action [pass or block or reset or default]
            (please refer to the table below)
            ...
           next
           edit [ID]
              set location all
              set severity medium high critical
          set protocol allset os all
          set application all
          set status [enable or default]
               (please refer to the table 2)
          set log enable
          set log-packet enable
          set log-attack-context disable
          set action [pass or block or reset or default]
              (please refer to the table 2)
              ...

Tip: Ensure evaluation order of IPS sensor entries so that the above settings apply properly.

Action	Status
pass or block or reset	enable
default	default

Table 2: Matching Actions to Status

Configure IPS Packet Logging

Execute the CLI command outlined in the FortiGate Next Generation Firewall documentation.

config ips settings

config ips settings   set packet-log-history 5   set packet-log-post-attack 10   set ips-packet-quota 0end

Configure the Storage Settings

After checking [HD logging space] with the following command, determine the size of [log-quota] with the following calculation:

[log-quota] = [Total HD logging space] / 2

[log-quota] should be rounded down to the nearest thousand. In the following example, the [log-quota] is 88000.

diagnose sys logdisk usage
Total HD usage: 236286 MB/333 MB
Total HD logging space: 177214 MB
HD logging space usage for vdom "root": 106 MB/177214 MB

Execute the CLI command outlined in the FortiGate Next Generation Firewall documentation.

config log disk setting

config log disk setting
   set status enable  
   set ips-archive enable  
   set max-policy-packet-capture-size 100  
   set log-quota [calculated value above,for example here, 88000]  
   set maximum-log-age 5  
   set full-first-warning-threshold 75  
   set full-second-warning-threshold 90  
   set full-final-warning-threshold 95  
   set max-log-file-size 20  
   set roll-schedule daily  
   set diskfull overwrite
...

Configure API Access Permission and Create API Key

Follow the steps outlined in the FortiGate Next Generation Firewall documentation.

Administrator profiles

Use the following parameters when completing the deployment:

Field Name	Parameter
Name	Whatever you want, however we suggest: api_admin
Data Access	Read

Table 3: Administrator Profile

Create new REST API admin

Use the following parameters when completing the deployment:

Field Name	Parameter
Username	Whatever you want, however we suggest: api_user
Administrator Profile	Add your administrator profile created above (we suggested api_admin)
Trusted Hosts	IP Address of your Samurai Local Collector

Table 4: REST API Admin

Complete the Fortinet FortiGate Next-Generation Firewall Integration

Login to the Samurai MDR web application
Click Integrations from the main menu
Click Create
Find and select Fortinet FortiGate Next-Generation Firewall
Select the relevant Local Collector and click Next
You will be presented with the Local Collector IP Address on the left of the screen
To configure Extended Telemetry Collection ensure it is enabled via the toggle
Enter the following information:
- Name for the Integration - the name will appear in the Samurai application for you to easily reference
- Description - optional but if completed will appear in the Samurai application for you to easily reference)
- Devicename - an arbitrary name to identify the Fortinet device
- API-Key - you generated under Create new Rest API Admin
- Select Enable PCAP
- Hostname/IP - hostname or IP address of Fortinet device to collect alerts from
- Port - if you have changed the default port enter the port number, if not, we default to 443
Click on Finish

For general information on Integrations refer to the Integrations article.