Extend Cortex XDR visibility into logs from Fortinet
logs and data requires a
Pro per TB license.
If you use Fortinet Fortigate
firewalls, you can still take advantage of
investigation and detection capabilities
by forwarding your firewall logs to
. This enables
to examine your network traffic to
detect anomalous behavior.
can use Fortinet Fortigate firewall
logs as the sole data source, but can also use Fortinet Fortigate firewall
logs in conjunction with Palo Alto Networks firewall logs. For additional endpoint
context, you can also use
to collect and alert on endpoint
As soon as
starts to receive logs, the app can begin
stitching network connection logs with other logs to form network
also analyze your logs to raise Analytics alerts and can apply IOC,
BIOC, and Correlation Rule matching. You can also use queries to
search your network connection logs.
To integrate your logs,
you first need to set up an applet in a broker VM within your network
to act as a syslog collector. You then configure forwarding on your
log devices to send logs to the syslog collector in a CEF format.
Verify that your Fortinet Fortigate firewalls
meet the following requirements.
Increase log storage for Fortinet Fortigate firewall
As an estimate for initial sizing, note that the average
Fortinet Fortigate log size is roughly 1,070 bytes. For proper sizing
calculations, test the log sizes and log rates produced by your
Fortinet Fortigate firewalls. For more information, see Manage Your Log Storage within Cortex XDR.
Configure the log device that receives Fortinet Fortigate
firewall logs to forward syslog events to the syslog collector in
a CEF format.
Configure your firewall policy to log all traffic and forward
the traffic logs to the syslog collector in a CEF format. By logging
all traffic, you enable
to detect anomalous behavior from Fortinet
Fortigate firewall logs. For more information on setting up Log
Forwarding on Fortinet Fortigate firewalls, see the Fortinet FortiOS