Firewall Analyzer supports the following versions of FortiGate:
Note: |
Firmware v2.26 or later is required |
There is no separate configuration required in Firewall Analyzer for receving logs from Virtual Firewalls of the Fortinet physical device. For configuring High Availablity for FortiGate Firewall with vdoms, refer the procedure given below.
Prerequisite to support vdom
In order to get the vdom support for FortiGate Firewall, ensure that the log format selected is Syslog instead of WELF.
If Firewall Analyzer is unable to receive the logs from the FortiGate after configuring from UI, please carryout the steps to configure it through command prompt
To determine the version number of the FortiGate that you are running, use the command: get system status
Follow the steps below to configure the FortiGate firewall:
Caution: |
Do not select CSV format for exporting the logs. |
Follow the steps below to configure rulesets for logging all traffic from or to the FortiGate firewall:
Repeat the above steps for all rules for which you want to log traffic.
For more information, refer the Fortinet documentation.
(For the models like FortiGate 60, FortiGate 200, etc.)
Please follow the steps to enable the device to send the logs to Firewall Analyzer.
Enable syslog:
config log syslogd2 setting
set status enable
set server <IP>
set csv disable
set facility local7
set port 1514
set reliable disable
end <cr>
Enable traffic:
config log syslogd filter<cr>
set severity information<cr>
set traffic enable<cr>
set web enable<cr>
set email enable<cr>
set attack enable<cr>
set im enable<cr>
set virus enable<cr>
end <cr>
Note: |
Type "show log syslogd filter" to list all available traffic. |
Stop and start the Firewall Analyzer application/service and check if you are able to receive the FortiGate Firewall packets in Firewall Analyzer.
Note: |
In FortiGate OS v5.0, there is an option to send syslog using TCP. If FirewallAnalyzer is not getting logs from FortiGate, please check FortiGate OS version. If it is v5.0 or above, ensure option 'reliable' is disabled in syslog config. Then it will use UDP. |
If further memory reduction or increase of logging rate are required, there are several optimization possibilities.
Disable extended traffic logging
config log fortianalyzer set extended-traffic-log {disable | enable} end
This feature is for ICSA compliance and is enabled by default.
When enabled, traffic logging volume is doubled because a log is generated when the sessions starts and stops.
When disabled, a log is only generated upon a session stop.
The extended-traffic-log enable command would also cause traffic hitting a deny policy (or the implicit deny policy) to be logged regardless if logging is enable or not on the deny policy.
Using CLI Console:
Ensure SNMP is enabled in FortiGate box by using the below command:
get system snmp sysinfo |
If it is disabled, enable it by using the below commands:
config system snmp sysinfo set status enable end |
To enable the SNMP Manager running in Firewall Analyzer to make queries to SNMP Agent running in the firewall:
config system snmp edit <SNMP Community ID> config hosts edit <SNMP Community ID> set interface <Interface through which Firewall Analyzer is connected to Firewall> set ip <Firewall Analyzer machine IP address> end end |
To ensure the source interface that connects Firewall Analyzer to Firewall device allows SNMP traffic, execute the below command:
get system interface <interface name> |
To allow SNMP traffic through the source interface use the below command:
config system interface internal set allowaccess <proto1 proto2 SNMP> end |
Using Web UI:
Note: |
|
To activate SNMP traffic in the source interface:
In case of FortiGate firewalls, device_id is considered as resource name in Firewall Analyzer. In the High Availability mode, eventhough both active and standby Firewalls have the same name, the device_id will be different. So, Firewall Analyzer displays them as two devices. To avoid this, you can configure the device name (devname) of standby Firewall as device_id of active Firewall. Syslogs from the FortiGate Firewall will transmit the serial number of the device as the value of device_id field and the host name as the value of the device name (devname) field.
Example:
Active Firewall log: <189>date=2011-09-28 time=13:14:58 devname=DSAC456Z4 device_id=FGT80G3419623587 log_id=0021000002
Standby Firewall log: <188>date=2011-09-28 time=13:14:59 devname=FGT80G3419623587 device_id=FGT80G4534717432 log_id=0022000003
For more details about FortiGate firewall monitoring features refer the below pages: