Skip to content
Find out how we support MDR.

Fortinet Fortigate integration

You can integrate Fortinet Fortigate with Sophos Central so that it sends alerts to Sophos for analysis.

This page gives you an overview of the integration.

Fortinet Fortigate product overview

Fortinet's FortiGate is a next-generation firewall that delivers advanced threat protection and performance optimization. Its integrated platform consolidates various security and networking functions, offering users protection against sophisticated threats.

Sophos documents

Integrate Fortinet FortiGate

What we ingest

Sample alerts seen by Sophos:

  • Apache.Struts.2.ParametersInterceptor.Remote.Command.Execution
  • Squirrelly.Template.Engine.Express.Render.API.Code.Injection
  • Splunk.Enterprise.REST.Information.Disclosure
  • TinyWebGallery.Lang.File.Inclusion
  • SIP.Multiple.Single.Value.Required.Header.Field

Alerts ingested in full

We recommend that you configure the following alerts (at severity warning or higher):

  • forward-traffic
  • local-traffic
  • multicast-traffic
  • sniffer-traffic
  • anomaly
  • traffic
  • web
  • url-filter
  • log-all-url
  • web-filter-referer-log

Filtering

We filter alerts and logs as follows.

Agent filter

  • We ALLOW valid CEF.
  • We DROP traffic logs, and waf passthrough logs.
  • We DROP log-only, information, and notice level messages.
  • We DROP various wireless device status messages.

Platform filter

  • We DROP various Active Directory audit logs.
  • We DROP error level messages.
  • We DROP various reviewed and non-security related messages and logs.
  • We DROP various high-volume and low-value specified messages

Sample threat mappings

{"alertType": "SSL connection is blocked.", "threatId": "T1573", "threatName": "Encrypted Channel"}
{"alertType": "Cerber.Botnet", "threatId": "TA0011", "threatName": "Command and Control"}
{"alertType": "Apache.Log4j.Error.Log.Remote.Code.Execution", "threatId": "T1203", "threatName": "Exploitation for Client Execution"}
{"alertType": "Network.Service: DNS_Dynamic.Update", "threatId": "T1071.004", "threatName": "DNS"}
{"alertType": "Administrator NAME login failed from ssh(IP_ADDRESS) because admin concurrent is disabled", "threatId": "T1078", "threatName": "Valid Accounts"}