24/1/25, 2:17 p.m.
Fortinet FortiGate | Next-Gen SIEM Third-Party Integrations | Third-Party Integration and Data Connectors | Falcon Next-Gen …
Fortinet FortiGate
Last updated: Nov. 7, 2024
Overview
Enhance Next-Gen SIEM detections with data from Fortinet FortiGate.
Requirements
Subscription: Falcon Next-Gen SIEM or Falcon Next-Gen SIEM 10GB.
CrowdStrike clouds: Available in US-1, US-2, EU-1, and US-GOV-1.
Other requirements :
Your environment must include a functioning deployment of Fortinet FortiGate.
You must have met all prerequisites before starting the data ingestion steps. See
Data ingestion prerequisites [/documentation/page/e001559f/fortinet-fortigate#x93b5870].
Configuring Fortinet FortiGate data ingestion
Set up Fortinet FortiGate data ingestion through the Fortinet FortiGate console and configure a middleware log forwarding solution on your server. For more info,
see Fortinet - configuring log forwarding [https://docs2.fortinet.com/document/fortianalyzer/7.2.1/administration-guide/19991/configuring-log-forwarding].
Note:Fortinet FortiGate requires an on-premises (customer environment) syslog server with LogScale LogCollector (middleware) component installed
and configured to send the data to Falcon Next-Gen SIEM.
Important: Some of these steps are performed in third-party products. The CrowdStrike Falcon platform integrates the relevant settings as you
configure them. However, CrowdStrike does not validate any third-party configurations. Perform the following steps with care, and validate your
settings and values before finalizing configurations in Falcon.
Data ingestion prerequisites
Important . On-premises syslog server configured with internet connectivity
Access to a Fortinet FortiGate Administrator account
Configure a new data connector with Fortinet FortiGate as the data source on the Data connectors [/data-connectors/] page. Through this process:
Generate your API key. Save this value to enter later in the integration.
Generate your API URL. Save this value to enter later in the integration.
Configuration summary
Step 1: Configure your data shipper [/documentation/page/e001559f/fortinet-fortigate#r4e90550]
Step 2: Configure the syslog settings using admin account [/documentation/page/e001559f/fortinet-fortigate#y0cd7744]
Step 3: Start the LogScale LogCollector service [/documentation/page/e001559f/fortinet-fortigate#j400831b]
Step 4: Verify successful data ingestion [/documentation/page/e001559f/fortinet-fortigate#te8a9532]
Step 1: Configure your data shipper
https://falcon.us-2.crowdstrike.com/documentation/page/e001559f/fortinet-fortigate 1/4
�24/1/25, 2:17 p.m. Fortinet FortiGate | Next-Gen SIEM Third-Party Integrations | Third-Party Integration and Data Connectors | Falcon Next-Gen …
You can use any data shipper that supports the HEC API to complete this step. We recommend using the Falcon LogScale Collector, available in the Falcon
console at Support and resources > Resources and tools > Tool downloads [/support/tool-downloads].
Follow these steps to set up an on-premises Linux or Windows server in your environment:
1. Install the Falcon Logscale Collector on the on-premises server following these instructions:
For Linux servers, see Install LogScale Collector [https://library.humio.com/falcon-logscale-collector/log-collector-install.html].
For Windows servers, see
Install LogScale Collector on Windows [https://library.humio.com/falcon-logscale-collector/log-collector-install-custom-windows.html].
2. Open the the LogScale Collector configuration file in a text editor and insert these lines of code:
For Linux syslog servers, use this example config.yaml file:
dataDirectory: /var/lib/humio-log-collector
sources:
#ingest syslog udp 514.
syslog_udp_514:
type: syslog
mode: udp
port: 514
sink: humio
sinks:
humio:
type: hec
proxy: none
token: <generated_during_data_connector_setup>
url: <generated_during_data_connector_setup>
For Windows servers, use this example config.yaml file:
dataDirectory: C:\ProgramData\LogScale Collector\
sources:
syslog_port_514:
type: syslog
mode: udp
port: 514
sink: humio
sinks:
humio:
type: hec
proxy: none
token: <generated_during_data_connector_setup>
url: <generated_during_data_connector_setup>
Verify the sources and sinks sections are correct.
Check that no other services are listening on port 514. For example, this command is commonly used to check for listening ports on Linux:
sudo netstat -lpn
If port 514 is not available, select a different port and confirm it is not in use. Update the port number.
Check the local firewall and confirm that the configured port is not being blocked.
Add the token and url generated in Data ingestion prerequisites. Remove /services/collector from the end of the url.
3. Save and exit the config.yaml file.
4. Start the Falcon LogScale Collector:
For Linux syslog servers, start the new humio-log-collector service from the terminal using this command:
sudo systemctl start humio-log-collector
For Windows servers, look for Services from the search bar, open Services, find Humio Log Collector and right-click Restart.
Step 2: Configure the syslog settings using admin account
https://falcon.us-2.crowdstrike.com/documentation/page/e001559f/fortinet-fortigate 2/4
�24/1/25, 2:17 p.m. Fortinet FortiGate | Next-Gen SIEM Third-Party Integrations | Third-Party Integration and Data Connectors | Falcon Next-Gen …
These steps are performed in the administration interface for your instance of Fortinet FortiGate. For more info, see the Fortinet product documentation.
1. Log in to the FortiGate FW with Admin privileges.
2. In the FortiGate GUI, go to Log & Report > Log Settings > Global settings.
3. In the Log Settings section:
Event logging: Select All
Local traffic logging: Select All
Syslog logging: Select Enable
IP address/FQDN: Enter the IP address of the on-premises Linux/Humio LogScale LogCollector server
4. Click Apply to save the changes.
5. In FortiGate CLI:
At the # prompt, enter the following commands:
config log syslogd setting
set status enable
Note: Make sure to add the IP address of the Linux server in the command below before executing.
set server <Linux_server_ip_address>
set mode udp
set port 514
set facility syslog
set format default
set priority default
set max-log-rate 0
set interface-select-method auto
end
At the # prompt, enter the following commands:
Note: Select a severity level that you want to configure to collect required logs. The available logs levels are: Emergency, Alert, Critical,
, , ,
Error Warning Notification Information , and Debug.
config log syslogd filter
set severity information
set forward-traffic enable
set local-traffic enable
set multicast-traffic enable
set sniffer-traffic enable
set anomaly enable
set voip enable
end
Exit the CLI.
Step 3: Start the LogScale LogCollector service
These steps are performed in the on-premises Linux syslog server in your environment.
1. Start the new humio-log-collector service from the terminal, using this command:
sudo systemctl start humio-log-collector
Step 4: Verify successful data ingestion
Important: Before verifying successful data ingestion, wait at least 15 minutes after setup to allow initial event data to be generated. Search results
aren’t generated until an applicable event occurs. If an event timestamp is greater than the retention period, the data is not visible in search. If you do
not see the raw data after 15 minutes, the product may need more time.
https://falcon.us-2.crowdstrike.com/documentation/page/e001559f/fortinet-fortigate 3/4
�24/1/25, 2:17 p.m. Fortinet FortiGate | Next-Gen SIEM Third-Party Integrations | Third-Party Integration and Data Connectors | Falcon Next-Gen …
Verify that data is being ingested and appears in Next-Gen SIEM search results:
1. Navigate to Data connectors > Data connectors > My connectors [/data-connectors/connectors].
2. After a few minutes, confirm that data ingestion for the connector is successful by verifying a timestamp exists in the Last ingested (UTC) column.
3. Go to Next-Gen SIEM > Log management > Advanced event search [/investigate/search].
4. Run a search for the data you ingested with this query, and confirm that at least one match is generated:
#Vendor=fortinet | #event.module=fortigate
ForgeRock Identity Cloud[/documentation/page/b09afdd2/forgerock-identity-cloud]
GCP Pub/Sub Data Connector [/documentation/page/tf022cab/gcp-pub-sub-data-connector]
https://falcon.us-2.crowdstrike.com/documentation/page/e001559f/fortinet-fortigate 4/4
