This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Fortinet FortiWeb

    Samurai [Local] CollectorSamurai [Cloud] CollectorSamurai [Cloud Native] Collector
    Picture1.svg

    This guide describes the steps required to configure Fortinet FortiWeb to send logs to a Samurai Local Collector deployed on your network. FortiWeb requires access to the Local Collector via syslog on port 514/UDP. 

    If you have deployed a FortiAnalyzer, please refer to the Fortinet FortiAnalyzer integration guide.

    1) From FortiWeb console:

    mceclip0.png We reference version 7.0.4 documentation, be sure to select the version applicable to your FortiWeb

    For more information on FortiWeb logging refer to Fortinet documentation ‘Logging’.

    Configure syslog policy

    Follow the steps outlined in the section entitled ‘Configuring Syslog settings’ located within the Fortinet documentation:

    Use the parameters defined in the table below for each field:

    Field NameParameter
    Policy NameWhatever you like, however we recommend ntt_syslog_policy
    IP Address (remote syslog server)IP address of your Local Samurai Collector
    Port514
    FormatDefault
    Enable TLSdisabled

    Table 1 - Syslog settings

    Configure trigger policy

    Follow the steps outlined in the section entitled ‘Configuring triggers’ within the Fortinet documentation:

    Use the parameters defined in the table below for each field:

    Field NameParameter
    NameWhatever you like, however we recommend ntt_syslog_trigger
    Syslog PolicyWe recommended ntt_syslog_policy

    Table 2 - Trigger policy

    Configure log destination

    Follow the steps outlined in the section entitled ‘Configure log destinations’ within the Fortinet documentation:

    Use the parameter defined in the table below for each field:

    Field NameParameter
    Global Log SettingEnable Syslog
    Syslog PolicyWe recommended ntt_syslog_policy
    Log LevelInformation
    Facilityleave as default (reserved for local use 7)

    Table 3 - Log destination

    Enable log types

    Follow the steps outlined within the Fortinet documentation:

    Use the parameter defined in the table below for each field:

    Field NameParameter
    Other Log SettingsEnable the following:

    Enable Attack Log

    Enable Traffic Log

    Enable Event Log (Optional)
    System Alert ThresholdsKeep default values for all (CPU Utilization, Memory Utilization, Log Disk Utilization)
    Trigger PolicyWe recommended ntt_syslog_trigger

    Table 4 - Log types

    For integrations that utilize a Local Collector where we ingest syslog only, you do not need to follow specific steps in the Samurai MDR portal as we auto detect the vendor and product. The only reason you need to use the Samurai MDR portal is if you need to determine the Local Collector IP address. Of course you will still need to ensure the integration is functioning! See Integrations for more information on checking status.

    Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.