Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Hassan09
Staff
Staff

Created on ‎11-26-2021 05:28 AM Edited on ‎11-26-2021 05:56 AM By Community Manager

Article Id 199709

Technical Tip: Integrate FortiGate with Microsoft Sentinel

Description

This article describes how to integrate Fortigate, with Microsoft Sentinel.
Scope  
Solution

- Microsoft Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution.

Microsoft Sentinel delivers intelligent security analytics and threats intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.

 

-To be able to ingest Syslog and CEF logs into Microsoft Sentinel from FortiGate, it will be necessary to configure a Linux machine that will collect the logs from the FortiGate and forward them to the Microsoft sentinel workspace.

This designated machine can be either a physical or Virtual machine in the on-prem, and Azure VM or in different cloud.

 

-Let’s assume to have already Linux machine that Microsoft Sentinel will use as proxy between the Fortigate and Microsoft Sentinel to collect the logs.

 

-On the Microsoft Sentinel Page, select the 'Data Connectors' under Configuration and choose the 'Fortinet' as described below:

 

Sentinel_connector.png

 

On the same page, select open connector page to see the instructions needed:

 

It is possible now to log in to the Linux machine that is acting as log forwarder using SSH and follow the instructions shown in Fortinet Data connector, see the screen below:

 

sentinel_intrsuction.png

 

After successfully performed all steps mentioned in the Fortinet Data connector above, it will possible to receive FortiGate generated CEF message in Microsoft Sentinel.

 

- To check if the syslog daemon is receiving data on port 514, it is possible to use tcpdump command on the Linux machine:The port 514 must be allowed.

 

>sudo tcpdump -A -ni any port 514 -vv

 

To check if, the agent is receiving data on port 25226, use below command:

 

>sudo tcpdump -A -ni any port 25226 –vv

 

To configure FortiGate to send Syslog messages in CEF format to the proxy machine(Linux), can use the below command:

 

# config log syslogd settin
    set status enabl

    set port 514
    set server "x.x.x.x <-----IP of the Syslog agent's IP address
    set format cef
end

 

At this point,  the Fortinet Connector should be visible on the Microsoft Sentinel console turning as 'green', this means the syslog collector is performing correctly, by storing the syslog logs with the right format into the Log Analytics workspace:

 

Sentinel_FGT_logs.png

 

-The Microsoft Sentinel|Overview Page, is showing the events are received:

 

Sentinle_event.png 

The syslog messages sent by FortiGate is categorized as 'CommonSecurityLog'.

 

Here is an example of KQL query:

 

KQL.png

 

 

Labels:
14617
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.