This document describes how to integrate a Fortinet Firewall with ThreatSync+ NDR to forward VPN and DHCP logs as syslogs to ThreatSync+ NDR to monitor data from your firewall.
Contents
Firewall Syslog Data Flow to ThreatSync+ NDR
The syslog collector sends logs from your third-party firewall to ThreatSync+ NDR. To install the syslog collector on a computer, you must first install the ThreatSync+ NDR Collection Agent. This diagram shows the data flow of third-party firewall syslogs to ThreatSync+ NDR.
Before You Begin
Before you begin these procedures, make sure that:
- You have a ThreatSync+ NDR or Total NDR license allocated in WatchGuard Cloud.
- You have the required access and permissions on your Fortinet firewall to configure syslog forwarding.
- You have access to a Linux server to install the ThreatSync+ NDR Collection Agent.
Configure the ThreatSync+ NDR Collection Agent
Make sure the ThreatSync+ NDR Collection Agent is installed on your Linux computer, and the status of the collection agent is Success. For detailed instructions about the ThreatSync+ NDR Collection Agent installation, go to Configure Collection Agents for ThreatSync+ NDR (Linux Computers).
Make sure the ThreatSync+ NDR Collection Agent is v1.0.0.48. You can find the collection agent version in /opt/collector/conf/VERSION.txt.
The collection agent listens on port 514, which is the default port to receive syslogs.
Configure a Fortinet Firewall to Forward Syslogs
WatchGuard provides interoperability instructions to help our customers configure WatchGuard products to work with third-party products created by other organizations. The steps to configure syslog forwarding on your device might be different, based on the version of your firewall management software. For the latest syslog forwarding instructions, go to your third-party firewall documentation.
To configure a Fortinet firewall to forward syslogs to the ThreatSync+ NDR Collection Agent:
- Log in to your Fortinet firewall UI.
- Configure the internal and external interfaces. For more information, go to Log Settings in the Fortinet documentation (external link).
- Configure a static route on the external interface to send traffic to external networks.
- Create the address object for the internal interface.
- Create a policy that allows syslog traffic from the internal interface to external networks.
- To enable syslog forwarding and configure syslog server settings, from the navigation menu, select Log & Report > Log Settings.
- Select the Global Settings tab.
- Next to Syslog Logging, click Enable.
- In the IP Address/FQDN text box, enter the IP address of your ThreatSync+ NDR Collection Agent.
- Click Apply.
For more information about Fortinet firewall log forwarding, go to Log Settings in the Fortinet documentation (external link).
Test the Integration
To test the Fortinet firewall integration with ThreatSync+ NDR:
- Log in to your WatchGuard Cloud account.
- From the navigation menu, select Configure > ThreatSync+ Integrations > Collection Agents. If you have a Service Provider account, you must select an account from Account Manager.
- Select the ThreatSync+ NDR Collection Agents tab to view the Last Activity column of your collection agent. This column shows the last time the collection agent uploaded records to ThreatSync+ NDR. It might take a few hours for the first upload.
- From the navigation menu, select Monitor > ThreatSync+ to view the Network Summary page.
For more information about ThreatSync+, go to ThreatSync+.