Fortinet FortiWeb
Samurai [Local] Collector | Samurai [Cloud] Collector |
---|---|
This guide describes the steps required to configure Fortinet FortiWeb to send logs to a Samurai Local Collector deployed on your network. FortiWeb requires access to the Local Collector via syslog on port 514/UDP.
If you have deployed a FortiAnalyzer, please refer to the Fortinet FortiAnalyzer integration guide.
1) From FortiWeb console:
Configure syslog policy
Follow the steps outlined in the section entitled ‘Configuring Syslog settings’ located within the Fortinet documentation:
Use the parameters defined in the table below for each field:
Field Name | Parameter |
---|---|
Policy Name | Whatever you like, however we recommend ntt_syslog_policy |
IP Address (remote syslog server) | IP address of your Local Samurai Collector |
Port | 514 |
Format | Default |
Enable TLS | disabled |
Table 1 - Syslog settings
Configure trigger policy
Follow the steps outlined in the section entitled ‘Configuring triggers’ within the Fortinet documentation:
Use the parameters defined in the table below for each field:
Field Name | Parameter |
---|---|
Name | Whatever you like, however we recommend ntt_syslog_trigger |
Syslog Policy | We recommended ntt_syslog_policy |
Table 2 - Trigger policy
Configure log destination
Follow the steps outlined in the section entitled ‘Configure log destinations’ within the Fortinet documentation:
Use the parameter defined in the table below for each field:
Field Name | Parameter |
---|---|
Global Log Setting | Enable Syslog |
Syslog Policy | We recommended ntt_syslog_policy |
Log Level | Information |
Facility | leave as default (reserved for local use 7) |
Table 3 - Log destination
Enable log types
Follow the steps outlined within the Fortinet documentation:
Use the parameter defined in the table below for each field:
Field Name | Parameter |
---|---|
Other Log Settings | Enable the following: Enable Attack Log Enable Traffic Log Enable Event Log (Optional) |
System Alert Thresholds | Keep default values for all (CPU Utilization, Memory Utilization, Log Disk Utilization) |
Trigger Policy | We recommended ntt_syslog_trigger |
Table 4 - Log types
For integrations that utilize a Local Collector where we ingest syslog only, you do not need to follow specific steps in the Samurai MDR portal as we auto detect the vendor and product. The only reason you need to use the Samurai MDR portal is if you need to determine the Local Collector IP address. Of course you will still need to ensure the integration is functioning! See Integrations for more information on checking status.
Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.