Configure Fortinet Firewalls


    Firewall Analyzer supports the following versions of FortiGate:

    • FortiOS - v2.5, 2.8, 3.0, and 5.0
    • Fortinet - 50,100, 200, 300, 400, 800
    • Fortigate - 1000, 5000 series 

    Note:

     Firmware v2.26 or later is required

    Prerequisite to get Application report

    Information about Applications like Skype, FaceBook, YouTube and application categories accessed by users will be available in this report. This report is available for Fortigate only. Ensure Application Control service in their Fortigate firewall is enabled to generate the Application report.

    Virtual Firewall (Virtual Domain) logs

    There is no separate configuration required in Firewall Analyzer for receving logs from Virtual Firewalls of the Fortinet physical device. For configuring High Availablity for FortiGate Firewall with vdoms, refer the procedure given below.

    Prerequisite to support vdom

    In order to get the vdom support for Fortigate Firewall, ensure that the log format selected is Syslog instead of WELF. 


    If Firewall Analyzer is unable to receive the logs from the Fortigate after configuring from UI, please carryout the steps to configure it through command prompt

    To determine the version number of the Fortigate that you are running, use the command: get system status

    Configuring the FortiGate Firewall

    Follow the steps below to configure the FortiGate firewall:

    1. Log in to the FortiGate web interface
    2. Select Log & Report > Log Setting or Log & Report > Log Config > Log Setting (depending on the version of FortiGate)
    3. If you want to export logs in WELF format:
      • Select the Log in WebTrends Enhanced Log Format or the WebTrends checkbox (depending on the version of FortiGate)
      • Enter the IP address of the syslog server
      • Choose the logging level as Information or select the Log All Events checkbox (depending on the version of FortiGate)
    4. If you want to export logs in the syslog format (or export logs to a different configured port):
      • Select the Log to Remote Host option or Syslog checkbox (depending on the version of FortiGate) Syslog format is preffered over WELF, in order to support vdom in Fortigate firewalls.
      • Enter the IP address and port of the syslog server
      • Select the logging level as Information or select the Log All Events checkbox (depending on the version of FortiGate)
      • Select the facility as local7
    5. Click Apply

    Caution:

     Do not select CSV format for exporting the logs.

    Configuring RuleSets for Logging Traffic

    Follow the steps below to configure rulesets for logging all traffic from or to the FortiGate firewall:

    1. Select Firewall > Policy
    2. Choose a rule for which you want to log traffic and click Edit. You can configure any traffic to be logged separately if it is acted upon by a specific rule.
    3. Select the Log Traffic checkbox
    4. Click OK and then click Apply

    Repeat the above steps for all rules for which you want to log traffic.

    For more information, refer the Fortinet documentation.

    If Firewall Analyzer is unable to receive the logs from the Fortigate after configuring from UI, please carryout the steps to configure it through command prompt

    (For the models like Fortigate 60, Fortigate 200, etc.)
    Please follow the steps to enable the device to send the logs to Firewall Analyzer.

    • Start CLI on the Fortigate firewall.
    • Execute the following commands to enable Syslog:

    Enable syslog:
    config log syslogd2 setting
    set status enable
    set server <IP>
    set csv disable
    set facility local7
    set port 1514
    set reliable disable
    end <cr>

    • Execute the following commands to enable Traffic:

    Enable traffic:
    config log syslogd filter<cr>
    set severity information<cr>
    set traffic enable<cr>
    set web enable<cr>
    set email enable<cr>
    set attack enable<cr>
    set im enable<cr>
    set virus enable<cr>
    end <cr>

    Note:

     Type "show log syslogd filter" to list all available traffic.

    Stop and start the Firewall Analyzer application/service and check if you are able to receive the Fortigate Firewall packets in Firewall Analyzer.

    Note:

     In Fortigate OS v5.0, there is an option to send syslog using TCP. If FirewallAnalyzer is not getting logs from Fortigate, please check Fortigate OS version. If it is v5.0 or above, ensure option 'reliable' is disabled in syslog config. Then it will use UDP.
    Syslog setting can only be done through CLI mode. There is no option in UI.

    Memory and logging optimizations

    If further memory reduction or increase of logging rate are required, there are several optimization possibilities.

    Disable extended traffic logging

    config log fortianalyzer
    
    set extended-traffic-log {disable | enable}
    
    end
    

    This feature is for ICSA compliance and is enabled by default.

    When enabled, traffic logging volume is doubled because a log is generated when the sessions starts and stops.

    When disabled, a log is only generated upon a session stop.

    The extended-traffic-log enable command would also cause traffic hitting a deny policy (or the implicit deny policy) to be logged regardless if logging is enable or not on the deny policy.

    Configure/Enable SNMP Protocol for Fortigate Firewall device

    Using CLI Console:

    Ensure SNMP is enabled in Fortigate box by using the below command: 

    get system snmp sysinfo

    If it is disabled, enable it by using the below commands:

    config system snmp sysinfo
    set status enable
    end

    To enable the SNMP Manager running in Firewall Analyzer to make queries to SNMP Agent running in the firewall: 

    config system snmp
    edit <SNMP Community ID>
    config hosts
    edit <SNMP Community ID>
    set interface <Interface through which Firewall Analyzer is connected to Firewall>
    set ip <Firewall Analyzer machine IP address>
    end
    end

    To ensure the source interface that connects Firewall Analyzer to Firewall device allows SNMP traffic, execute the below command: 

    get system interface <interface name>

    To allow SNMP traffic through the source interface use the below command:

    config system interface internal
    set allowaccess <proto1 proto2 SNMP>
    end

    Using Web UI:

    • Log in to the FortiGate web interface
    • Go to System > Config > SNMP v1/v2c
    • Select Enable for the SNMP Agent
    • Enter Description, Location and Contact information.
    • Click Apply

    Note:

    • If you already have a SNMP community, edit it to provide Firewall Analyzer (SNMP Manager) IP address. Also specify the source interface through which Firewall Analyzer connects to Firewall.

    • If you want to add a new SNMP community, click 'Create New' button and enter Community Name. Provide Firewall Analyzer (SNMP Manager) IP address and the source interface through which Firewall Analyzer connects to Firewall.

    To activate SNMP traffic in the source interface:

    • Go to System > Network > Interface.
    • For the interface allowing SNMP traffic, select Edit.
    • Select SNMP for Administrative Access.
    • Select OK

    Configure Fortigate in High Availability Mode:

    In case of Fortigate Firewalls , device_id is considered as resource name in Firewall Analyzer. In the High Availability mode, eventhough both active and standby Firewalls have the same name, the device_id will be different. So, Firewall Analyzer displays them as two devices. To avoid this, you can configure the device name (devname) of standby Firewall as device_id of active Firewall. Syslogs from the FortiGate Firewall will transmit the serial number of the device as the value of device_id field and the host name as the value of the device name (devname) field.

    Example:

    Active Firewall log: <189>date=2011-09-28 time=13:14:58 devname=DSAC456Z4 device_id=FGT80G3419623587 log_id=0021000002
    Standby Firewall log: <188>date=2011-09-28 time=13:14:59 devname=FGT80G3419623587 device_id=FGT80G4534717432 log_id=0022000003