Fortinet FortiGate Next-Generation Firewall

Samurai [Local] CollectorSamurai [Cloud] CollectorSamurai [Cloud Native] Collector
Picture1.svg

1) Ensure Connectivity Requirements are in place

2) From FortiGate Next-Generation Firewall console:

3) If you have configured the options above, from the Samurai MDR portal:

mceclip0.png CLI commands may depend on Forti OS version. Refer to the relevant Fortinet documentation if needed.

mceclip0.png This guide assumes that you are not using the VDOM feature.

Connectivity Requirements

You must ensure the following connectivity requirements are available:

SourceDestinationPortsDescription
FortiGate NGFWSamurai Local CollectorUDP/514 (syslog)For log transmission
Samurai Local CollectorFortiGate NGFWTCP/443 (https) default or your definitionOptional (based on optional configuration in this article)

Configure Syslog Forwarding Settings

Execute the CLI commands outlined in the FortiGate Next Generation Firewall documentation.

config log syslogd4 setting
   set status enable  
   set server [IP address of your Samurai Collector]
   set mode udp
   set port 514
   unset source-ip
   set format default
end
config log syslogd4 filter
   set filter [see table 1]
   set filter-type include  
end

The following table shows the value indicating the send log for each security function.

Security FeaturesValue indicating the send log (One line each; no separator)
IPS/IDS Features“ips-level(information)”
IPS/IDS and AntiVirus Features“ips-level(information)virus-level(information)”
IPS/IDS and AntiVirus Features and Web Filter Features“ips-level(information)virus-level(information)webfilter-level(information)”

Table 1: Security Features Logs To Be Sent

Configure Log Settings for Each Security Features

Execute the CLI commands outlined in the FortiGate Next Generation Firewall documentation.

config firewall policy
   edit [Policy ID]
       ...
   set logtraffic [utm or all]
   set logtraffic-start disable
       ...
   next
end  
config antivirus profile   edit [Profile Name]      ...      set extended-log enable      ...   nextend
config webfilter profile
   edit [Profile Name]
      ...
    set log-all-url disable
    set web-content-log enable
    set web-filter-activex-log enable
    set web-filter-command-block-log enable
    set web-filter-cookie-log enable
    set web-filter-applet-log enable
    set web-filter-jscript-log enable
    set web-filter-js-log enable
    set web-filter-vbs-log enable
    set web-filter-unknown-log enable
    set web-filter-refere-log enable
    set web-filter-cookie-removal-log enable
    set web-url-log enable
    set web-invalid-domain-log enable
    set web-ftgd-err-log enable
    set web-ftgd-quota-usage enable
    set extended-log enable
    set web-extended-all-action-log enable
   next  
end  
config ips sensor
   edit [Sensor Name]
      ...
     set extended-log enable
        config entries
           edit [ID]
           set location all
           set severity info low
           set protocol all
           set os all
           set application all
           set status [enable or default]
            (please refer to the table below)
           set log enable
           set log-packet disable
           set log-attack-context disable
           set action [pass or block or reset or default]
            (please refer to the table below)
            ...
           next
           edit [ID]
              set location all
              set severity medium high critical
          set protocol allset os all
          set application all
          set status [enable or default]
               (please refer to the table 2)
          set log enable
          set log-packet enable
          set log-attack-context disable
          set action [pass or block or reset or default]
              (please refer to the table 2)
              ...

Tip: Ensure evaluation order of IPS sensor entries so that the above settings apply properly.

ActionStatus
pass or block or resetenable
defaultdefault

Table 2: Matching Actions to Status

Configure IPS Packet Logging

Execute the CLI command outlined in the FortiGate Next Generation Firewall documentation.

config ips settings   set packet-log-history 5   set packet-log-post-attack 10   set ips-packet-quota 0end

Configure the Storage Settings

After checking [HD logging space] with the following command, determine the size of [log-quota] with the following calculation:

[log-quota] = [Total HD logging space] / 2 

[log-quota] should be rounded down to the nearest thousand. In the following example, the [log-quota] is 88000.

diagnose sys logdisk usage
Total HD usage: 236286 MB/333 MB
Total HD logging space: 177214 MB
HD logging space usage for vdom "root": 106 MB/177214 MB  

Execute the CLI command outlined in the FortiGate Next Generation Firewall documentation.

config log disk setting
   set status enable  
   set ips-archive enable  
   set max-policy-packet-capture-size 100  
   set log-quota [calculated value above,for example here, 88000]  
   set maximum-log-age 5  
   set full-first-warning-threshold 75  
   set full-second-warning-threshold 90  
   set full-final-warning-threshold 95  
   set max-log-file-size 20  
   set roll-schedule daily  
   set diskfull overwrite
...  

Configure API Access Permission and Create API Key

Follow the steps outlined in the FortiGate Next Generation Firewall documentation.

Use the following parameters when completing the deployment:

Field NameParameter
NameWhatever you want, however we suggest: api_admin
Data AccessRead

Table 3: Administrator Profile

Use the following parameters when completing the deployment:

Field NameParameter
UsernameWhatever you want, however we suggest: api_user
Administrator Profile*Add your administrator profile created above (*we suggested api_admin)
Trusted HostsIP Address of your Samurai Local Collector

Table 4: REST API Admin

Complete the Fortinet FortiGate Next-Generation Firewall Integration

  1. Login to the Samurai MDR portal

  2. Click Telemetry and select Integrations from the main menu

  3. Click Create

  4. Find and select Fortinet FortiGate Next-Generation Firewall

  5. Select the relevant Local Collector and click Next

  6. You will be presented with the Local Collector IP Address on the left of the screen

  7. To configure Extended Telemetry Collection ensure it is enabled via the toggle

  8. Enter the following information:

    • Name for the Integration - the name will appear in the Samurai MDR portal for you to easily reference
    • Description - optional but if completed will appear in the Samurai MDR portal for you to easily reference)
    • Devicename - an arbitrary name to identify the Fortinet device
    • API-Key - you generated under Create new Rest API Admin
    • Select Enable PCAP
    • Hostname/IP - hostname or IP address of Fortinet device to collect alerts from
    • Port - if you have changed the default port enter the port number, if not, we default to 443
  9. Click on Finish

mceclip0.png For general information on Integrations refer to the Integrations article.

Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.