Configuring Fortinet Firewalls
Firewall Analyzer supports the following versions of FortiGate:
- FortiOS - v2.5, 2.8, 3.0 and 5.0
- Fortinet - 50,100, 200, 300, 400, 800
- Fortigate - 1000, 5000 series
 |
Firmware v2.26 or later is required |
Prerequisite to get Application report
Information about Applications like Skype, FaceBook, YouTube and application categories accessed by users will be available in this report. This report is available for Fortigate only. Ensure Application Control service in their Fortigate firewall is enabled to generate the Application report.
Virtual Firewall (Virtual Domain) logs
There is no separate configuration required in Firewall Analyzer for receving logs from Virtual Firewalls of the Fortinet physical device. For configuring High Availablity for FortiGate Firewall with vdoms, refer the procedure given below.
Prerequisite to support vdom
In order to get the vdom support for Fortigate Firewall, ensure that the log format selected is Syslog instead of WELF.
If Firewall Analyzer is unable to receive the logs from the Fortigate after configuring from UI, please carryout the steps to configure it through command prompt
To determine the version number of the Fortigate that you are running,
use the command: get system status
Configuring the FortiGate Firewall
Follow the steps below to configure the FortiGate firewall:
- Log in to the FortiGate web interface
- Select Log & Report > Log Setting
or Log & Report > Log Config > Log Setting
(depending on the version of FortiGate)
-
If you want to export logs in WELF format:
- Select the Log in WebTrends Enhanced
Log Format or the WebTrends checkbox (depending
on the version of FortiGate)
- Enter the IP address of the syslog server
- Choose the logging level as Information
or select the Log All Events checkbox (depending on the
version of FortiGate)
-
If you want to export logs in the syslog format (or export logs to
a different configured
port):
- Select the Log to Remote Host
option or Syslog checkbox (depending on the version of
FortiGate) Syslog format is preffered over WELF, in order to support vdom in Fortigate firewalls.
- Enter the IP address and port of the syslog server
- Select the logging level as Information
or select the Log All Events checkbox (depending on the
version of FortiGate)
- Select the facility as local7
- Click Apply
 |
Do not select CSV format for exporting the logs. |
Configuring RuleSets for Logging Traffic
Follow the steps below to configure rulesets for logging all traffic
from or to the FortiGate firewall:
- Select Firewall > Policy
- Choose a rule for which you want to log traffic and
click Edit. You can configure any traffic to be logged
separately if it is acted upon by a specific rule.
- Select the Log Traffic checkbox
- Click OK and then click Apply
Repeat the above steps for all rules for which you want to log traffic.
For more information, refer the Fortinet documentation.
If Firewall Analyzer is unable to receive the logs from the Fortigate after configuring from UI, please carryout the steps to configure it through command prompt
(For the models like Fortigate 60, Fortigate 200, etc.)
Please follow the steps to enable the device to send the logs to Firewall Analyzer.
- Start CLI on the Fortigate firewall.
- Execute the following commands to enable Syslog:
Enable syslog:
config log syslogd setting<cr>
set server (ip address)<cr>
set status enable<cr>
end<cr>
- Execute the following commands to enable Traffic:
Enable traffic:
config log syslogd filter<cr>
set severity information<cr>
set traffic enable<cr>
set web enable<cr>
set email enable<cr>
set attack enable<cr>
set im enable<cr>
set virus enable<cr>
end <cr>
 |
Type "show log syslogd filter" to list all available traffic. |
- Stop and start the Firewall Analyzer application/service and check if you are able to receive the Fortigate Firewall packets in Firewall Analyzer.
Configure/Enable SNMP Protocol for Fortigate Firewall device
Using CLI Console:
Ensure SNMP is enabled in Fortigate box by using the below command:
If it is disabled, enable it by using the below commands:
config system snmp sysinfo
set status enable
end
|
To enable the SNMP Manager running in Firewall Analyzer to make queries to SNMP Agent running in the firewall:
config system snmp
edit <SNMP Community ID>
config hosts
edit <SNMP Community ID>
set interface <Interface through which Firewall Analyzer is connected to Firewall>
set ip <Firewall Analyzer machine IP address>
end
end
|
To ensure the source interface that connects Firewall Analyzer to Firewall device allows SNMP traffic, execute the below command:
get system interface <interface name>
|
To allow SNMP traffic through the source interface use the below command:
config system interface internal
set allowaccess <proto1 proto2 SNMP>
end
|
Using Web UI:
Log in to the FortiGate web interface
Go to System > Config > SNMP v1/v2c
Select Enable for the SNMP Agent
Enter Description, Location and Contact information.
Click Apply.
 |
- If you already have a SNMP community, edit it to provide Firewall Analyzer (SNMP Manager) IP address. Also specify the source interface through which Firewall Analyzer connects to Firewall.
- If you want to add a new SNMP community, click 'Create New' button and enter Community Name. Provide Firewall Analyzer (SNMP Manager) IP address and the source interface through which Firewall Analyzer connects to Firewall.
|
To activate SNMP traffic in the source interface:
Go to System > Network > Interface.
For the interface allowing SNMP traffic, select Edit.
Select SNMP for Administrative Access.
Select OK.
Configure Fortigate in High Availability Mode:
In case of Fortigate Firewalls , device_id is considered as resource name in Firewall Analyzer. In the High Availability mode, eventhough both active and standby Firewalls have the same name, the device_id will be different. So, Firewall Analyzer displays them as two devices. To avoid this, you can configure the device name (devname) of standby Firewall as device_id of active Firewall. Syslogs from the FortiGate Firewall will transmit the serial number of the device as the value of device_id field and the host name as the value of the device name (devname) field.
Example:
Active Firewall log: <189>date=2011-09-28 time=13:14:58 devname=DSAC456Z4 device_id=FGT80G3419623587 log_id=0021000002
Standby Firewall log: <188>date=2011-09-28 time=13:14:59 devname=FGT80G3419623587 device_id=FGT80G4534717432 log_id=0022000003
|