Configure Fortigate SIEM Integration

Section 1: Create a Firewall Rule on your Utility Agent 

 

 From the Utility Host – open the Run command and enter the following command  wf.msc  or open the control panel and navigate to the firewall settings page Linux can be used as a utility agent, Ubunut 20.04 and 22.04 are the currently supported versions. 

 Select  Inbound Rules  on the right side 

 Right-click and select  New Rule 

 Select  Custom 

 Click  Next 

 Select  All Programs 

 Click  Next 

 Use the following settings:

 

 Protocol Type: UDP 

 Local Port: 514 

 

 

 Click  Next 

 Under the "Which remote IP addresses does this rule apply to?" section, select  These IP Addresses 

 Click  Add 

 If the utility agent resides on the same LAN as the Firewall, enter the  LAN IP of the  Fortinet device . If the utility agent is on a different subnet than the Firewall, enter the  Public IP of the Fortinet device  that is sending logs under the  This IP address or subnet  field. 

 You'll be brought back to the Scope screen, click  Next 

 On the Action screen, select  Allow the connection , then click  Next 

 On the Profile screen, ensure  Domain ,  Private , and  Guest  are selected, then click  Next 

 Give the Firewall rule a  name  and  description , then click  Finish 

 

   

 Section 2a (Legacy): Configure Fortinet to Forward Logs 

 

 Log in to the Fortinet console 

 Select  Log & Report  Menu Option on the left 

 Select  Log Settings 

 Enable  Send logs to syslog 

 Enter the  LAN IP of the  Utility Agent 

 Save  your configuration 

 

 Section 2b (FortiOS v5.x+): Configure Fortinet to Forward Logs 

 

 Open the CLI 

 Find a syslogd setting that is not in use:

 config log {syslogd | syslogd2 | syslogd3 | syslogd4} setting show end 

Note: One of the options within the brackets should be selected and entered without the brackets. 

 Configure the desired syslogd setting:

 config log syslogd setting 

Note: Change syslogd to the one you determined to use in step 2. 

 

 set mode udp

set server "LAN IP of Utility Agent"

set port 514

set facility user

set source-ip "LAN IP of FW"

set format default

set priority default

set max-log-rate 0

set interface-select-method auto 

 

 use command config log syslogd filter and then set severity <severity level> to change the severity level of the logs being ingested. Setting to level Warning and above is probably best. Fortinet article that shows the logging levels . 

 Confirm settings:

 show full end 

 

 

 Section 3: Todyl Portal 

 Configure the integration within the Todyl Portal with the following settings: 

 

 UDP Host:  0.0.0.0 

 UDP Port:  514