Up
Previous Next

Sheriff CSMâ„¢

Fortinet FortiGate

When you configure Fortinet FortiGate to send log data to Sheriff CSM, you can use the FortiGate plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin:

Plugin Information

DeviceDetails
Vendor Fortinet
Device Type Firewall
Connection Type Syslog
Data Source Name fortigate
Data Source ID 1554

Integrating Fortinet FortiGate

Before you configure the Fortinet FortiGate integration, you must have the IP Address of the Sheriff CSM Sensor (Deputy). You can configure FortiGate from either the web UI or CLI.

To configure FortiGate to send log data to Sheriff CSM from the web UI
  1. Log in to the Fortinet console, and go to Log & Report > Log Config > Log Settings.
  2. Select Send Logs to Syslog and specify the Sheriff CSM Sensor IP address.

  3. In Event Logging, select all the event types you want to capture.

  4. Click Apply.

To configure FortiGate to send log data to Sheriff CSM from the CLI
  • Open the Fortinet CLI Console and enter:

    config log syslogd setting
    set status enable
    set facility local7
    set format csv
    set port 514
    set reliable disable
    set server <IP address of the Sheriff CSM Sensor>
    set source-ip <Default: 0.0.0.0>
    end

    Note: Fortinet allows up to three remote syslog servers: {syslogd|syslogd2|syslogd3}.

If Virtual Domains (VDOMs) are enabled, each VDOM will use the default FortiAnalyzer/Syslog server, but you can override it from the CLI, allowing you to specify a different FortiAnalyzer/Syslog server for that VDOM.

Use this command within a VDOM to override the global configuration created with the config log syslogd setting command above. These settings configure the connection to the Sheriff CSM Sensor.

To override global configuration for a specific VDOM
  • From the Fortinet CLI Console, enter:

    config log syslogd override-setting
    set override enable
    set status enable
    set csv disable
    set facility local7
    set port 514
    set reliable disable
    set server <IP address of the Sheriff CSM Sensor>
    set source-ip <Default: 0.0.0.0>
    end

Plugin Enablement

For plugin enablement information, see Enable Plugins.

Troubleshooting

For troubleshooting, refer to the vendor documentation:

https://www.fortinet.com/products-services/products/firewall.htm

http://docs.fortinet.com/d/fortigate-troubleshooting-2
Topic revision: r5 - 29 Jun 2022, SheriffCyberSecurity
Copyright 2020 Sheriff Cyber Security, LLC. All rights reserved.