Fortinet FortiWeb

Samurai [Local] CollectorSamurai [Cloud] Collector
Picture1.svg

This guide describes the steps required to configure Fortinet FortiWeb to send logs to a Samurai Local Collector deployed on your network. FortiWeb requires access to the Local Collector via syslog on port 514/UDP. 

If you have deployed a FortiAnalyzer, please refer to the Fortinet FortiAnalyzer integration guide.

1) From FortiWeb console:

Configure syslog policy

Follow the steps outlined in the section entitled ‘Configuring Syslog settings’ located within the Fortinet documentation:

Use the parameters defined in the table below for each field:

Field NameParameter
Policy NameWhatever you like, however we recommend ntt_syslog_policy
IP Address (remote syslog server)IP address of your Local Samurai Collector
Port514
FormatDefault
Enable TLSdisabled

Table 1 - Syslog settings

Configure trigger policy

Follow the steps outlined in the section entitled ‘Configuring triggers’ within the Fortinet documentation:

Use the parameters defined in the table below for each field:

Field NameParameter
NameWhatever you like, however we recommend ntt_syslog_trigger
Syslog PolicyWe recommended ntt_syslog_policy

Table 2 - Trigger policy

Configure log destination

Follow the steps outlined in the section entitled ‘Configure log destinations’ within the Fortinet documentation:

Use the parameter defined in the table below for each field:

Field NameParameter
Global Log SettingEnable Syslog
Syslog PolicyWe recommended ntt_syslog_policy
Log LevelInformation
Facilityleave as default (reserved for local use 7)

Table 3 - Log destination

Enable log types

Follow the steps outlined within the Fortinet documentation:

Use the parameter defined in the table below for each field:

Field NameParameter
Other Log SettingsEnable the following:

Enable Attack Log

Enable Traffic Log

Enable Event Log (Optional)
System Alert ThresholdsKeep default values for all (CPU Utilization, Memory Utilization, Log Disk Utilization)
Trigger PolicyWe recommended ntt_syslog_trigger

Table 4 - Log types

For integrations that utilize a Local Collector where we ingest syslog only, you do not need to follow specific steps in the Samurai MDR portal as we auto detect the vendor and product. The only reason you need to use the Samurai MDR portal is if you need to determine the Local Collector IP address. Of course you will still need to ensure the integration is functioning! See Integrations for more information on checking status.

Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.