Skip to content
Find out how we support MDR.

Fortinet FortiGate

Log collector

You can integrate Fortinet FortiGate with Sophos Central. This lets FortiGate send firewall alerts to the Sophos Data Lake.

This integration uses a log collector on a virtual machine (VM). The log collector receives third-party data and sends it to the Sophos Data Lake.

Note

A VM can host integrations for multiple products, but can't host more than one integration of the same product.

The key steps are as follows:

  • Add an integration for this product. This configures an Open Virtual Appliance (OVA) file.
  • Deploy the OVA file on your ESXi server. This becomes your log collector.
  • Configure FortiGate to send data to the log collector.

Add an integration

To add the integration, do as follows:

  1. Sign in to Sophos Central.
  2. Go to Threat Analysis Center > Integrations.
  3. Click Fortinet FortiGate.

    If you've already set up connections to FortiGate, you see them here.

  4. In Integrations, click Add integration.

    Note

    If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See My domains and IPs.

    Integration steps appears.

Configure the VM

In Integration steps you configure your VM to receive data from FortiGate. You can use an existing VM, or create a new one.

To configure the VM, do as follows:

  1. Enter an integration name and description.
  2. Enter Virtual appliance name and Virtual appliance description.
  3. Select the virtual platform. (Currently we only support VMware).
  4. Specify the internet-facing network ports.

    • Select DHCP to assign the IP address automatically.

      Note

      If you select DHCP, you must reserve the IP address.

    • Select Manual to specify network settings.

    You'll need the VM's address and port number later, when you configure FortiGate to send data to it.

  5. Select a Protocol.

  6. Complete any remaining fields on the form.
  7. Click Save.

    We create the integration and it appears in your list. It might take a few minutes for the OVA file to be ready.

Deploy the VM

Restriction

The OVA file is verified with Sophos Central, so it can only be used once. After it's been deployed, it can't be used again.

If you have to deploy a new VM, you must do all these steps again to link this integration to Sophos Central.

Use the OVA file to deploy the VM. To do this, do as follows:

  1. In the list of integrations, in Actions, click Download OVA.
  2. When the OVA file download finishes, deploy it on your ESXi server. An assistant guides you through the steps. See Deploy a VM for integrations.

When you've deployed the VM, the integration shows as Connected.

Configure FortiGate

Now you configure FortiGate to send alerts to the Sophos log collector on the VM.

  1. Sign into the command-line interface (CLI).
  2. Enter the following commands to turn on syslog forwarding and send data to your log collector. Make sure you use the correct commands for your FortiGate Version.

    config log syslogd setting
    set status enable
    set facility user
    set port [port number of your VM]
    set server [IP address of your VM] 
    set mode udp
    set format cef
    end
    
    config log syslogd setting
    set status enable
    set facility user
    set port [port number of your VM]
    set server [IP address of your VM] 
    set format cef
    set reliable disable
    end
    

Note

You can configure up to four syslog servers on FortiGate. Just replace syslogd with syslogd2, sylsogd3 or syslogd4 in the first line to configure each syslog server.

Your FortiGate alerts should now appear in the Sophos Data Lake after validation.

Customize alerts

Most FortiGate features are logged by default. To make sure the Traffic, Web and URL Filtering features are logged, enter the following commands:

config log syslogd filter 
set traffic enable
set web enable 
set url-filter enable 
end 

FortiGate 5.4 and later can also log referrer URLs. A referrer URL is the address of the web page where a user clicked a link to go to the current page. This is useful for web usage analysis.

To turn on referrer URL logging for each web profile, do as follows:

config webfilter profile 
edit [Name of your profile] 
set log-all-url enable 
set web-filter-referer-log enable 
end 

More resources

This video takes you through setting up the integration.

For more information on logging to a remote syslog server, see Fortinet’s Logging and Reporting Guide.