|
1 | | -# Fortinet FortiGate Integration |
| 1 | +# Fortinet FortiGate Firewall Logs Integration for Elastic |
2 | 2 |
|
3 | | -This integration is for Fortinet FortiGate logs sent in the syslog format. |
| 3 | +## Overview |
4 | 4 |
|
5 | | -## Compatibility |
| 5 | +The Fortinet FortiGate Firewall Logs integration for Elastic enables the collection of logs from Fortinet FortiGate firewalls. This allows for comprehensive security monitoring, threat detection, and network traffic analysis within the Elastic Stack. By ingesting FortiGate logs, users can gain visibility into firewall activity, monitor for security threats, audit policy compliance, and troubleshoot network issues. |
6 | 6 |
|
7 | | -This integration has been tested against FortiOS versions 6.x and 7.x up to 7.4.1. Newer versions are expected to work but have not been tested. |
| 7 | +This integration facilitates: |
| 8 | +- Security monitoring and threat detection |
| 9 | +- Network traffic analysis and monitoring |
| 10 | +- Firewall policy compliance and auditing |
| 11 | +- Intrusion detection and prevention system (IPS) event monitoring |
| 12 | +- VPN connection monitoring and troubleshooting |
| 13 | +- Web filtering and application control monitoring |
8 | 14 |
|
9 | | -## Note |
| 15 | +### Compatibility |
10 | 16 |
|
11 | | -- When using the TCP input, be careful with the configured TCP framing. According to the [Fortigate reference](https://docs.fortinet.com/document/fortigate/7.4.0/cli-reference/405620/config-log-syslogd-setting), framing should be set to `rfc6587` when the syslog mode is reliable. |
| 17 | +This integration has been tested against FortiOS versions 13.x. While newer versions may work, they have not been officially tested. |
12 | 18 |
|
13 | | -### Log |
| 19 | +This integration is compatible with Elastic Stack version 8.11.0 or higher. |
14 | 20 |
|
15 | | -The `log` dataset collects Fortinet FortiGate logs. |
| 21 | +### How it works |
16 | 22 |
|
17 | | -{{event "log"}} |
| 23 | +This integration collects logs from FortiGate firewalls by receiving syslog data over TCP or UDP, or by reading directly from log files. An Elastic Agent is deployed on a host that is configured as a syslog receiver or has access to the log files. The agent forwards the logs to your Elastic deployment, where they are processed and enriched by the integration's ingest pipelines. |
18 | 24 |
|
19 | | -{{fields "log"}} |
| 25 | +## What data does this integration collect? |
| 26 | + |
| 27 | +The Fortinet FortiGate Firewall Logs integration collects the following types of logs: |
| 28 | +* **Traffic logs**: Records of firewall decisions to allow or deny traffic. |
| 29 | +* **UTM (Unified Threat Management) logs**: Includes events from antivirus, web filter, application control, IPS, and DNS filter modules. |
| 30 | +* **Event logs**: System-level events, high-availability (HA) events, and configuration changes. |
| 31 | +* **Authentication logs**: Records of VPN, administrator, and user authentication events. |
| 32 | + |
| 33 | +### Supported use cases |
| 34 | + |
| 35 | +Integrating Fortinet FortiGate logs with Elastic provides a powerful solution for enhancing security posture and operational visibility. Key use cases include: |
| 36 | +- **Real-time Threat Detection**: Leverage Elastic SIEM to detect and respond to threats identified in firewall logs. |
| 37 | +- **Network Traffic Analysis**: Use Kibana dashboards to visualize and analyze network traffic patterns, helping to identify anomalies and optimize network performance. |
| 38 | +- **Compliance and Auditing**: Maintain a searchable, long-term archive of firewall logs to meet compliance requirements and conduct security audits. |
| 39 | +- **Incident Response**: Accelerate incident investigation by correlating firewall data with other security and observability data sources within Elastic. |
| 40 | + |
| 41 | +## What do I need to use this integration? |
| 42 | + |
| 43 | +- A FortiGate firewall with administrative access to configure syslog settings. |
| 44 | +- Network connectivity between the FortiGate firewall and the Elastic Agent host. |
| 45 | +- Elastic Stack version 8.11.0 or higher. |
| 46 | + |
| 47 | +## How do I deploy this integration? |
| 48 | + |
| 49 | +### Agent-based deployment |
| 50 | + |
| 51 | +Elastic Agent must be installed on a host that will receive the syslog data or has access to the log files from the FortiGate firewall. For detailed installation instructions, refer to the Elastic Agent [installation guide](docs-content://reference/fleet/install-elastic-agents.md). Only one Elastic Agent is needed per host. |
| 52 | + |
| 53 | +### Vendor set up steps |
| 54 | + |
| 55 | +#### Syslog Configuration |
| 56 | + |
| 57 | +1. Log in to your FortiGate firewall's management interface. |
| 58 | +2. Navigate to the syslog configuration settings. |
| 59 | +3. Configure the FortiGate device to send syslog messages to the IP address and port of the host where the Elastic Agent is installed. |
| 60 | +4. If you are using TCP with reliable syslog mode, ensure that the framing is set to `rfc6587`. This is a critical step for ensuring message integrity. For more details, refer to the [FortiGate CLI reference](https://docs.fortinet.com/document/fortigate/7.4.0/cli-reference/405620/config-log-syslogd-setting). |
| 61 | +5. Configure the appropriate syslog facility and severity levels to match the data you wish to collect. |
| 62 | + |
| 63 | +### Onboard / configure in Kibana |
| 64 | + |
| 65 | +1. In Kibana, navigate to **Management > Integrations**. |
| 66 | +2. Search for "Fortinet FortiGate Firewall Logs" and select the integration. |
| 67 | +3. Click **Add Fortinet FortiGate Firewall Logs**. |
| 68 | +4. Configure the integration with one of the following input types: |
| 69 | + * **TCP**: Provide the listen address and port (e.g., `0.0.0.0:9004`) for the syslog receiver. |
| 70 | + * **UDP**: Provide the listen address and port (e.g., `0.0.0.0:9004`) for the syslog receiver. |
| 71 | + * **Log file**: Specify the path to the log files you want to monitor. |
| 72 | +5. Under the **Settings** tab, configure any optional settings: |
| 73 | + * **Internal/External interfaces**: Define your network interfaces to correctly map network direction. |
| 74 | + * **Internal networks**: Specify your internal network ranges (defaults to private address spaces). |
| 75 | + * **Preserve original event**: Check this option if you want to keep the original, unprocessed log message. |
| 76 | +6. Assign the integration to an agent policy and click **Save and continue**. |
| 77 | + |
| 78 | +### Validation |
| 79 | + |
| 80 | +1. First, verify on the FortiGate device that logs are being actively sent to the configured Elastic Agent host. |
| 81 | +2. In Kibana, navigate to **Discover**. |
| 82 | +3. In the search bar, enter `data_stream.dataset: "fortinet_fortigate.log"` and check for incoming documents. |
| 83 | +4. Verify that events are appearing with recent timestamps. |
| 84 | +5. Navigate to **Management > Dashboards** and search for "Fortinet FortiGate Overview" to see if the visualizations are populated with data. |
| 85 | +6. Generate some test traffic that would be logged by the firewall and confirm that the corresponding logs appear in Kibana. |
| 86 | + |
| 87 | +## Troubleshooting |
| 88 | + |
| 89 | +For help with Elastic ingest tools, check [Common problems](https://www.elastic.co/docs/troubleshoot/ingest/fleet/common-problems). |
| 90 | + |
| 91 | +### Common Configuration Issues |
| 92 | + |
| 93 | +- **No data is being collected**: |
| 94 | + * Verify network connectivity (e.g., using `ping` or `netcat`) between the FortiGate firewall and the Elastic Agent host. |
| 95 | + * Ensure there are no firewalls or network ACLs blocking the syslog port. |
| 96 | + * Confirm that the listening port configured in the Elastic integration matches the destination port configured on the FortiGate device. |
| 97 | +- **TCP framing issues**: |
| 98 | + * When using TCP input with reliable syslog mode, both the FortiGate configuration and the integration settings must have framing set to `rfc6587`. Mismatched framing settings will result in parsing errors or lost logs. |
| 99 | + |
| 100 | +### Vendor Resources |
| 101 | + |
| 102 | +- [FortiGate CLI Reference - Syslog Settings](https://docs.fortinet.com/document/fortigate/7.4.0/cli-reference/405620/config-log-syslogd-setting) |
| 103 | +- [Fortinet Documentation Library](https://docs.fortinet.com/) |
| 104 | +- [FortiGate Administration Guide](https://docs.fortinet.com/product/fortigate) |
| 105 | + |
| 106 | +## Scaling |
| 107 | + |
| 108 | +For more information on architectures that can be used for scaling this integration, check the [Ingest Architectures](https://www.elastic.co/docs/manage-data/ingest/ingest-reference-architectures) documentation. A common approach for large-scale syslog collection is to place a load balancer or a dedicated syslog collector like Logstash between the FortiGate devices and the Elastic Agents. |
| 109 | + |
| 110 | +## Reference |
| 111 | + |
| 112 | +### log |
| 113 | + |
| 114 | +The `log` data stream collects all log types from the FortiGate firewall, including traffic, UTM, event, and authentication logs. |
| 115 | + |
| 116 | +#### log fields |
| 117 | + |
| 118 | +{{ fields "log" }} |
| 119 | + |
| 120 | +#### log sample event |
| 121 | + |
| 122 | +{{ event "log" }} |
| 123 | + |
| 124 | +### Inputs used |
| 125 | + |
| 126 | +{{ inputDocs }} |
0 commit comments