Ingest Logs from Fortinet Fortigate Firewalls - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-05-12
Category
Administrator Guide
Abstract

Extend Cortex XSIAM visibility into logs from Fortinet Fortigate firewalls.

If you use Fortinet Fortigate firewalls, you can still take advantage of Cortex XSIAM investigation and detection capabilities by forwarding your firewall logs to Cortex XSIAM . This enables Cortex XSIAM to examine your network traffic to detect anomalous behavior. Cortex XSIAM can use Fortinet Fortigate firewall logs as the sole data source, but can also use Fortinet Fortigate firewall logs in conjunction with Palo Alto Networks firewall logs. For additional endpoint context, you can also use Cortex XSIAM to collect and alert on endpoint data.

As soon as Cortex XSIAM starts to receive logs, the app can begin stitching network connection logs with other logs to form network stories. Cortex XSIAM can also analyze your logs to raise Analytics alerts and can apply IOC, BIOC, and Correlation Rule matching. You can also use queries to search your network connection logs.

To integrate your logs, you first need to set up an applet in a Broker VM within your network to act as a Syslog collector. You then configure forwarding on your log devices to send logs to the Syslog collector in a CEF format.

  1. Verify that your Fortinet Fortigate firewalls meet the following requirements.

    • Must use FortiOS 6.2.1 or a later release

    • timestamp must be in nanoseconds

  2. Activate the Syslog Collector.

  3. Increase log storage for Fortinet Fortigate firewall logs.

    As an estimate for initial sizing, note that the average Fortinet Fortigate log size is roughly 1,070 bytes. For proper sizing calculations, test the log sizes and log rates produced by your Fortinet Fortigate firewalls. For more information, see Manage Your Log Storage within Cortex XSIAM.

  4. Configure the log device that receives Fortinet Fortigate firewall logs to forward Syslog events to the Syslog collector in a CEF format.

    Configure your firewall policy to log all traffic and forward the traffic logs to the Syslog collector in a CEF format. By logging all traffic, you enable Cortex XSIAM to detect anomalous behavior from Fortinet Fortigate firewall logs. For more information on setting up Log Forwarding on Fortinet Fortigate firewalls, see the Fortinet FortiOS documentation.