Technical Tip: FortiGate Integration with Microsoft Sentinel via AMA

To Integrate the FortiGate Firewall on Azure to Send the logs to Microsoft Sentinel with a Linux Machine working as a log forwarder, follow the below steps:

1. From the Content hub in Microsoft Sentinel, install the Fortinet FortiGate Next-Generation Firewall Connector:

The 'Fortinet via AMA' Data connector is visible:

2. Open connector page, the following steps will appear:

Step A:

To configure the CEF with AMA data Connector, it is necessary to have a designated Linux VM as a log forwarder to collect logs.

As an example, Ubuntu 20.04 is used Syslog-NG is installed.  It is possible to use any other version that the AMA supports with either Syslog-NG or Rsyslog.

Install Syslog-ng on Ubuntu:

The installation steps below are for Ubuntu 20.04, but it is possible to use them with minimal modifications in any other supported distributions, just change the URLs.

1. Download and install the release key:
   
   wget -qO: https://ose-repo.syslog-ng.com/apt/syslog-ng-ose-pub.asc | sudo apt-key add
   
   
2. Add the repository containing the latest stable build of Syslog-ng to the APT sources. For example, on Ubuntu 20.04:
   
   echo ;deb https://ose-repo.syslog-ng.com/apt/ stable ubuntu-focal' | sudo tee -a /etc/apt/sources.list.d/syslog-ng-ose.list
   
   
3. Run the following command:

apt-get update

Install Syslog-ng and any of its sub-packages:

apt-get install syslog-ng-core syslog-ng-scl

Configure the Data Connector:

Navigate to Microsoft Sentinel workspace -> Configuration -> Data connector blade. Search for the 'Common Event Format (CEF) via AMA' data connector and install it.

Open the connector page.

Check If there is no existing DCR configured to collect the required facility of logs, Create a new DCR (Data Collection Rule). In the Resources section, choose the Linux VM created to forward the logs.

Select which data source type and the data to collect for the resource(s). Whatever is configured here, should match the configuration on the FortiGate to send to the Linux Log Forwarded

Local7 and LOG_NOTICE Level have been selected which will match the FortiGate.

This is the final result:

Run the command provided in the CEF via the AMA data connector page to configure the CEF collector on the machine

sudo wget -O Forwarder_AMA_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Forwarder_AMA_in... python3 Forwarder_AMA_installer.py

Step B:

Configure the FortiGate to send the logs to the Linux Machine, SSH to the FortiGate Instance, or open a CLI Console:

config log syslogd setting
    set status enable
    set server <----- The IP Address of the Log Forwarder.
    set mode udp
    set port 514
    set facility local7
    set format cef
end

Notice that the facility to local7 has been configured which is matching to the Data Collection Rule on Azure and the format as CEF has been configured.

Step C:

To verify that the connector is installed correctly, run the troubleshooting script:

sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_tro... python3 Sentinel_AMA_troubleshoot.py --cef

The FortiGate is integrated with Sentinel and the logs are also visible: