FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jfelix09
Staff
Staff
Article Id 248101
Description

This article describes how to configure FortiGate to send encrypted Syslog messages to the Syslog server (rsyslog - Ubuntu Server 20.04).

Scope

FortiGate

Solution

To send encrypted packets to the Syslog server, FortiGate will verify the Syslog server certificate with the imported Certificate Authority (CA) certificate during the TLS handshake.

 

In this case, FortiGate uses a self-signed certificate using the XCA application:

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/320832/creating-certificates...

 

The following steps describe the procedure to create the CA certificate and the server certificate:

1) Create a CA certificate and export it as a (ca-syslog.pem) file.

2) Create a Server certificate signed by the CA ca-syslog.pem and export it as a PEM + Key file, syslog-cert.pem: concatenate the certificate and the unencrypted private key in one PEM file.

3) Create two files: syslog-servercert.pem and syslog-serverkey.key.

4) Open the syslog-cert.pem with notepad and copy the content of the certificate (including -----BEGIN CERTIFICATE-----  and  -----END CERTIFICATE-----), then copy and paste it into the syslog-servercert.pem file (created in step 3).

5) Open the syslog-cert.pem with notepad and copy the content of the certificate (including -----BEGIN RSA PRIVATE KEY-----  and  -----END RSA PRIVATE KEY-----), then copy and paste it into the syslog-serverkey.key file (created in step 3).

6) Move the three files (ca-syslog.pem, syslog-servercert.pem, and syslog-serverkey.key) to the syslog server. Place the files in the /home/syslog_cert/ directory.

 

When the rsyslog service is installed and running on an Ubuntu Server (20.04), configure the /etc/rsyslog.conf file as follows:

 

Make the gtls driver the default and define the certificate files:

 

global(

DefaultNetstreamDriver="gtls"

DefaultNetstreamDriverCAFile="/home/syslog_cert/ca-syslog.pem"

DefaultNetstreamDriverCertFile="/home/syslog_cert/syslog-servercert.pem"

DefaultNetstreamDriverKeyFile="/home/syslog_cert/syslog-serverkey.key"

)

 

Load the TCP listener:

 

module(load="imtcp" StreamDriver.Name="gtls" StreamDriver.Mode="1" StreamDriver.Authmode="anon")

 

Provide TCP syslog reception:

 

input(type="imtcp" port="6514")

 

Restart the rsyslog process and check the status of the service by running the following commands:

 

# sudo systemctl restart rsyslog

sudo systemctl status rsyslog

 

Import the CA certificate to the FortiGate as a Remote CA certificate (Under System -> Certificates -> Create/Import -> CA Certificate -> File, upload the 'ca-syslog.pem" file).

 

jfelix09_0-1677955091535.png


Configure the Syslog setting on FortiGate and change the server IP address/name accordingly:

 

# config log syslogd setting

set status enable

set server "10.191.85.3"

set mode reliable

set port 6514

set enc-algorithm high

end

 

A sniffer/packet capture can be made to check the additional information between FortiGate and Syslog server communication:

 

jfelix09_1-1677955213834.png

 

If the CA is not matching on FortiGate or it is not installed on the FortiGate store, the following error will appear: 'Fatal Error, Description: Unknown CA'.

 

jfelix09_0-1678047842841.png

Contributors