You are here: Docs>Sheriff Web>UserGuides>SheriffCSMDocumentation>DeploymentGuide>PluginManagement>ConfigureLogForwardingOnCommonlyUsedDataSources>FortinetFortiGate (29 Jun 2022, SheriffCyberSecurity)Edit Attach
Up
Previous Next

Sheriff CSMâ„¢

Fortinet FortiGate

When you configure Fortinet FortiGate to send log data to Sheriff CSM, you can use the FortiGate plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin:

Plugin Information

DeviceDetails
Vendor Fortinet
Device Type Firewall
Connection Type Syslog
Data Source Name fortigate
Data Source ID 1554

Integrating Fortinet FortiGate

Before you configure the Fortinet FortiGate integration, you must have the IP Address of the Sheriff CSM Sensor (Deputy). You can configure FortiGate from either the web UI or CLI.

To configure FortiGate to send log data to Sheriff CSM from the web UI
  1. Log in to the Fortinet console, and go to Log & Report > Log Config > Log Settings.

  2. Select Send Logs to Syslog and specify the Sheriff CSM Sensor IP address.

  3. In Event Logging, select all the event types you want to capture.

  4. Click Apply.

To configure FortiGate to send log data to Sheriff CSM from the CLI

  • Open the Fortinet CLI Console and enter:

    config log syslogd setting
set status enable
set facility local7
set format csv
set port 514
set reliable disable
set server <IP address of the Sheriff CSM Sensor>
set source-ip <Default: 0.0.0.0>
end

    Note: Fortinet allows up to three remote syslog servers: {syslogd|syslogd2|syslogd3}.

If Virtual Domains (VDOMs) are enabled, each VDOM will use the default FortiAnalyzer/Syslog server, but you can override it from the CLI, allowing you to specify a different FortiAnalyzer/Syslog server for that VDOM.

Use this command within a VDOM to override the global configuration created with the config log syslogd setting command above. These settings configure the connection to the Sheriff CSM Sensor.

To override global configuration for a specific VDOM

  • From the Fortinet CLI Console, enter:

    config log syslogd override-setting
set override enable
set status enable
set csv disable
set facility local7
set port 514
set reliable disable
set server <IP address of the Sheriff CSM Sensor>
set source-ip <Default: 0.0.0.0>
end

Plugin Enablement

For plugin enablement information, see Enable Plugins.

Troubleshooting

For troubleshooting, refer to the vendor documentation:

https://www.fortinet.com/products-services/products/firewall.htm

http://docs.fortinet.com/d/fortigate-troubleshooting-2
Edit  | Attach | Print version | History: r5 < r4 < r3 < r2 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r5 - 29 Jun 2022, SheriffCyberSecurity
Copyright 2020 Sheriff Cyber Security, LLC. All rights reserved.