Fortinet / FortiGate is a network firewall , delivering networking and security capabilities in a single platform. We here providing you the steps to ingest the device with Seceon SIEM to have a better visibility of threats happening in your environment .
Log in to the firewall User Interface
Change VDOM
By default, user would logon to “root” vdom.
They need to make sure that Global vdom is selected.
User can do that by clicking on the dropdown on top left side and select the vdom root.
Click and expand "Log & Report" then click on 'Log Settings'
Add the CCE IP address
Check the option 'send logs to syslog'
Click Apply to save your settings.
To Configure NetFlow, Login into CLI with correct privileges.
config system netflow
Description: Configure NetFlow.
set collector-ip {ipv4-address}
set collector-port {integer}
set source-ip {ipv4-address}
set active-flow-timeout {integer}
set inactive-flow-timeout {integer}
set template-tx-timeout {integer}
set template-tx-counter {integer}
end
Parameter | Description | Type | Size | Default |
|---|---|---|---|---|
collector-ip | Collector IP - Seceon CCE IP Address | ipv4-address | Not Specified | 0.0.0.0 |
collector-port | NetFlow collector port number. | integer | Minimum value: 0 Maximum value: 65535 | 9995 |
source-ip | Source IP address for communication with the NetFlow agent. | ipv4-address | Not Specified | 0.0.0.0 |
active-flow-timeout | Timeout to report active flows. | integer | Minimum value: 60 Maximum value: 3600 | 1800 |
inactive-flow-timeout | Timeout for the periodic report of finished flows. | integer | Minimum value: 10 Maximum value: 600 | 15 |
template-tx-timeout | Timeout for periodic template flow set transmission. | integer | Minimum value: 60 Maximum value: 86400 | 1800 |
template-tx-counter | The counter flow set records before resending a template flow set the record. | integer | Minimum value: 10 Maximum value: 6000 | 20 |
Click on the dashboard and scroll down to the CLI console
Click on the CLI console to connect.
To Configure Netflow, type the following commands on the console one after another. Make sure to replace <ipv4_addr> with CCE IP Address
config global Firewall (This step might not be required in some versions of FortiGate firewall)
config system netflow
set collector-ip <ipv4_address>
set collector-port 9995
end
To Enable Netflow, type the following
config system interface
edit <interface name> ....with all the interfaces to be configured
set netflow-sampler both
end
Verification can be done in two ways
Run the command on CCE server to check if you start getting logs and flows from firewall:
To check the logs :
sudo tcpdump -i any port 514 and host <Firewall IP>
To check the flows:
sudo tcpdump -i any port 9995 and host <Firewall IP>
STEP1: Login to UI >> SYSTEM>> LOGS AND FLOWS COLLECTION STATUS .
STEP 2: >> LOGS AND FLOWS COLLECTION STATUS .
STEP 3: >>Inside SOURCE DEVICE IP, IP will reflect.
