What filters need to be enabled to transfer the source IP address devname = "device_fortigate" on log forwarding?
logver = 604145463 timestamp = 1705406294 devname = "device_fortigate" devid = "FG" vd = "root" date = 2024 - 01 - 16 time = 14: 58: 14 eventtime = 1705406295007253541 tz = "" logid = "15010500" type = "utm" subtype = "dns" eventtype = "dns-response" level = "warning" policyid = 459 sessionid = 1734461551 srcip = IP srcport = srcintf = "DMZ01" srcintfrole = "dmz" dstip = IP dstport = dstintf = "DC-Transport" dstintfrole = "lan" proto = 17 profile = "DNS-Log" xid = 25739 qname = "" qtype = "A" qtypeval = 1 qclass = "IN" ipaddr = "127.0.0.1" msg = "A rating error occurs" action = "pass" cat = 255 catdesc = "Unknown" error = "no available Fortiguard SDNS servers"
Solved! Go to Solution.
Hi @VasilyZaycev.
Using the following commands on the FortiAnalyzer, will allow the event to retain its original source IP
config system log-forward
edit <id>
set fwd-log-source-ip original_ip
next
end
I hope that helps!
end
Hi,
I don't deal with licenses.
And the setting was used on FortiAnalyser to transfer the source IP address of the event Fortinet.
Created on 03-25-2024 05:47 AM Edited on 03-25-2024 05:48 AM
Thx VasilyZaycev,
the best practice is to integrate only FortiAnalyser ? or have logs directly from Firewalls (FortiGate)?
It is important for us to have logs from FortiGate for Siem.
There is no best practice here. Both will achieve the same thing. It is a design decision. Here are some things to consider:
I hope that helps.
Good approach for choosing the method, Thanks
Hi @Waloo5
FortiSIEM will use 1 device license per unique IP address. If you use the above configuration, then each firewall will maintain its unique IP address. Therefore, each firewall will use up 1 device license.
Thanks, and if we use FAZ instead of FWs it counts 1 license? or each FW counts 1 license?
As per the configuration above. This makes sure that each logs is sent with the firewall IP address as the source. If you do not use this configuration, then all logs are sent from the FAZ IP only. This would consume a single device license. However, this will also limit your functionality. For example, the firewalls would not be in the CMDB. Also, you would not be able to do any performance monitoring per firewall.
It is better to have each device in discovered and visible in the CMDB.
Thanks, I appreciate you feedback
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.