Configuring Fortinet Firewalls

Firewall Analyzer supports the following versions of FortiGate:

• FortiOS v2.5, 2.8, and 3.0
• Fortinet - 50,100, 200, 300, 400, 800
• Fortigate - 1000, 5000 series

Firmware v2.26 or later is required

Prerequisite to get Application report

Information about Applications like Skype, FaceBook, YouTube and application categories accessed by users will be available in this report. This report is available for Fortigate only. Ensure Application Control service in their Fortigate firewall is enabled to generate the Application report.

Virtual Firewall (Virtual Domain) logs

There is no separate configuration required in Firewall Analyzer for receving logs from Virtual Firewalls of the Fortinet physical device. For configuring High Availablity for FortiGate Firewall with vdoms, refer the procedure given below.

Prerequisite to support vdom

In order to get the vdom support for Fortigate Firewall, ensure that the log format selected is Syslog instead of WELF.

If Firewall Analyzer is unable to receive the logs from the Fortigate after configuring from UI, please carryout the steps to configure it through command prompt

To determine the version number of the Fortigate that you are running, use the command: get system status

Configuring the FortiGate Firewall

Follow the steps below to configure the FortiGate firewall:

1. Log in to the FortiGate web interface
2. Select Log & Report > Log Setting or Log & Report > Log Config > Log Setting (depending on the version of FortiGate)
3. If you want to export logs in WELF format:
   • Select the Log in WebTrends Enhanced Log Format or the WebTrends checkbox (depending on the version of FortiGate)
   • Enter the IP address of the syslog server
   • Choose the logging level as Information or select the Log All Events checkbox (depending on the version of FortiGate)
4. If you want to export logs in the syslog format (or export logs to a different configured port):
   • Select the Log to Remote Host option or Syslog checkbox (depending on the version of FortiGate) Syslog format is preffered over WELF, in order to support vdom in Fortigate firewalls.
   • Enter the IP address and port of the syslog server
   • Select the logging level as Information or select the Log All Events checkbox (depending on the version of FortiGate)
   • Select the facility as local7
5. Click Apply

Do not select CSV format for exporting the logs.

Configuring RuleSets for Logging Traffic

Follow the steps below to configure rulesets for logging all traffic from or to the FortiGate firewall:

1. Select Firewall > Policy
2. Choose a rule for which you want to log traffic and click Edit. You can configure any traffic to be logged separately if it is acted upon by a specific rule.
3. Select the Log Traffic checkbox
4. Click OK and then click Apply

Repeat the above steps for all rules for which you want to log traffic.

For more information, refer the Fortinet documentation.

If Firewall Analyzer is unable to receive the logs from the Fortigate after configuring from UI, please carryout the steps to configure it through command prompt

(For the models like Fortigate 60, Fortigate 200, etc.)

Please follow the steps to enable the device to send the logs to Firewall Analyzer.

• Start CLI on the Fortigate firewall.
• Execute the following commands to enable Syslog:

Enable syslog:

config log syslogd setting<cr>

set server (ip address)<cr>

set status enable<cr>

end<cr>

• Execute the following commands to enable Traffic:

Enable traffic:

config log syslogd filter<cr>

set severity information<cr>

set traffic enable<cr>

set web enable<cr>

set email enable<cr>
set attack enable<cr>
set im enable<cr>

set virus enable<cr>

end <cr>

Type "show log syslogd filter" to list all available traffic.

 

• Stop and start the Firewall Analyzer application/service and check if you are able to receive the Fortigate Firewall packets in Firewall Analyzer.

Configure/Enable SNMP Protocol for Fortigate Firewall device

Using CLI Console:

Ensure SNMP is enabled in Fortigate box by using the below command:

get system snmp sysinfo

If it is disabled, enable it by using the below commands:

config system snmp sysinfo set status enable end

To enable the SNMP Manager running in Firewall Analyzer to make queries to SNMP Agent running in the firewall:

config system snmp edit <SNMP Community ID> config hosts edit <SNMP Community ID> set interface <Interface through which Firewall Analyzer is connected to Firewall> set ip <Firewall Analyzer machine IP address> end end

To ensure the source interface that connects Firewall Analyzer to Firewall device allows SNMP traffic, execute the below command:

get system interface <interface name>

To allow SNMP traffic through the source interface use the below command:

config system interface internal set allowaccess <proto1 proto2 SNMP> end

Using Web UI:

• Log in to the FortiGate web interface
  
• Go to System > Config > SNMP v1/v2c
  
• Select Enable for the SNMP Agent
  
• Enter Description, Location and Contact information.
  
• Click Apply.

If you already have a SNMP community, edit it to provide Firewall Analyzer (SNMP Manager) IP address. Also specify the source interface through which Firewall Analyzer connects to Firewall. If you want to add a new SNMP community, click 'Create New' button and enter Community Name. Provide Firewall Analyzer (SNMP Manager) IP address and the source interface through which Firewall Analyzer connects to Firewall.

To activate SNMP traffic in the source interface:

• Go to System > Network > Interface.
  
• For the interface allowing SNMP traffic, select Edit.
  
• Select SNMP for Administrative Access.
  
• Select OK.

Configure Fortigate in High Availability Mode:

In case of Fortigate Firewalls , device_id is considered as resource name in Firewall Analyzer. In the High Availability mode, eventhough both active and standby Firewalls have the same name, the device_id will be different. So, Firewall Analyzer displays them as two devices. To avoid this, you can configure the device name (devname) of standby Firewall as device_id of active Firewall. Syslogs from the FortiGate Firewall will transmit the serial number of the device as the value of device_id field and the host name as the value of the device name (devname) field.

Example:

Active Firewall log: <189>date=2011-09-28 time=13:14:58 devname=DSAC456Z4 device_id=FGT80G3419623587 log_id=0021000002
Standby Firewall log: <188>date=2011-09-28 time=13:14:59 devname=FGT80G3419623587 device_id=FGT80G4534717432 log_id=0022000003