Fortinet Fortigate (syslog)

Configure Fortinet Fortigate for syslog log forwarding to Radiant Security.

In this guide, you will configure syslog log forwarding for Fortinet Fortigate.

Add the data connector in Radiant Security

  1. Log in to Radiant Security.

  2. From the navigation menu, click Settings > Data Connectors and click + Add Connector.

  3. Search for and select the Fortinet Fortigate option and then click Data Feeds.

  4. Under Select your data feeds, select the Fortinet Fortigate v7 data feed and click Credentials.

  5. Under Credential Name, give the credential an identifiable name (e.g. Fortigate - Token). If you already have a credential in place, select it from the drop-down menu. Click Add Connector.

  6. In the Connector tag field, enter a random value. This value will act as the salt to randomize the unique Token you’ll download in the next step.

  7. Click Add Connector.

  8. Copy and save the Token value using the clipboard option or downloading the Token file. Download the SSL certificate, as you will need it when configuring the syslog source (Fortinet Fortigate) in the next section.

  9. Click Done to save your changes.

Licenses

No additional license is required to forward the syslog events directly from each firewall console, but if the client has FortiAnalyzer the log collection and forwarding is centralized and requires a different step-by-step which is covered below on the Configure log forwarding with FortiAnalyzer section.

Configure the syslog token on the Fortigate Firewalls

  1. Access the Fortigate CLI

  2. Enter the following commands to create a custom log field and apply it to the logging configuration. Repeat this step on all Fortigate firewalls.

    • Update the values between <> with the corresponding values:

      • The fieldID can be set to any value that can help identify the custom-field

      • The token is provided by Radiant Security during the Data Connector setup.

config log custom-field
	edit <fieldID>
		set name rs_fg_st
		set value <token>
		end
config log setting
	set custom-log-fields <fieldID>
	end

Configure TLS syslog directly from FortiGate Firewalls

Use the following help article as a reference: Log settings and targets.

  1. In FortiGate, go to System > Certificates > Create/Import > CA Certificate > File.

  2. Upload the CA certificate provided by Radiant Security to FortiGate as a Remote CA.

  3. Log into the FortiGate CLI and configure the following syslogd setting:

    config log syslogd setting
    set status enable
    set server "primary.syslog.radiantsecurity.ai"
    set mode reliable
    set port 6514
    set enc-algorithm high
end

Configure a local Radiant Security Agent

Note: When using FortiAnalyzer, the implementation of the Radiant Security Agent is mandatory.

Refer to the Install the Radiant Security Agent guide to set up a local agent to collect the logs.

Configure log forwarding with FortiAnalyzer

  1. Access the FortiAnalyzer Console, go to System Settings > Log Forwarding.

  2. In the toolbar, click Create New.

  3. On the new pane, configure the following settings:

    • Name: RadiantSecurity_Connector

    • Status: ON

    • FQDN/IP: Enter the IP address of the local syslog forwarder

    • Syslog Server Port: 6514

    • Reliable Connection: ON

    • (If available) Remote Server Type: Syslog

    • (Optional) Device Filters: Select the Fortigate devices whose logs must be forwarded to Radiant Security

      • If no devices are selected, logs from all Fortigate devices will be forwarded.

    • Log Filters: ON

      • Log messages that match: Any of the Following Conditions

      • Add the following filters:

        • Log Type Equal To Traffic

        • Log Type Equal To Event

        • Log Type Equal To UTM

  4. Click OK to save your changes.

PreviousForcepoint ONE SSENextGCP Audit Logs

Last updated