Ingest Logs from Fortinet Fortigate Firewalls

Extend Cortex XDR visibility into logs from Fortinet Fortigate firewalls.
Ingesting logs and data requires a Cortex XDR Pro per TB license.
If you use Fortinet Fortigate firewalls, you can still take advantage of Cortex XDR investigation and detection capabilities by forwarding your firewall logs to Cortex XDR. This enables Cortex XDR to examine your network traffic to detect anomalous behavior. Cortex XDR can use Fortinet Fortigate firewall logs as the sole data source, but can also use Fortinet Fortigate firewall logs in conjunction with Palo Alto Networks firewall logs. For additional endpoint context, you can also use Cortex XDR to collect and alert on endpoint data.
As soon as Cortex XDR starts to receive logs, the app can begin stitching network connection logs with other logs to form network stories. Cortex XDR can also analyze your logs to raise Analytics alerts and can apply IOC and BIOC rule matching. You can also use queries to search your network connection logs.
To integrate your logs, you first need to set up an applet in a broker VM within your network to act as a syslog collector. You then configure forwarding on your log devices to send logs to the syslog collector.
  1. Verify that your Fortinet Fortigate firewalls meet the following requirements:
    • Must use FortiOS 6.2.1 or a later release
    • timestamp
      must be in nanoseconds
  2. Increase log storage for Fortinet Fortigate firewall logs.
    As an estimate for initial sizing, note that the average Fortinet Fortigate log size is roughly 1,070 bytes. For proper sizing calculations, test the log sizes and log rates produced by your Fortinet Fortigate firewalls. For more information, see Allocate Log Storage for Cortex XDR.
  3. Configure the log device that receives Fortinet Fortigate firewall logs to forward syslog events to the syslog collector.
    Configure your firewall policy to log all traffic and forward the traffic logs to the syslog collector. By logging all traffic, you enable Cortex XDR to detect anomalous behavior from Fortinet Fortigate firewall logs. For more information on setting up Log Forwarding on Fortinet Fortigate firewalls, see the Fortinet FortiOS documentation.

Recommended For You