Extend Cortex XDR visibility into logs from Fortinet
logs and data requires a Cortex XDR Pro per TB license.
you use Fortinet Fortigate firewalls, you can still take advantage
of Cortex XDR investigation and detection capabilities by forwarding
your firewall logs to Cortex XDR. This enables Cortex XDR to examine
your network traffic to detect anomalous behavior. Cortex XDR can
use Fortinet Fortigate firewall logs as the sole data source, but
can also use Fortinet Fortigate firewall logs in conjunction with
Palo Alto Networks firewall logs. For additional endpoint context,
you can also use Cortex XDR to collect and alert on endpoint data.
soon as Cortex XDR starts to receive logs, the app can begin stitching
network connection logs with other logs to form network stories.
Cortex XDR can also analyze your logs to raise Analytics alerts
and can apply IOC and BIOC rule matching. You can also use queries
to search your network connection logs.
To integrate your
logs, you first need to set up an applet in a broker VM within your
network to act as a syslog collector. You then configure forwarding
on your log devices to send logs to the syslog collector.
Verify that your Fortinet Fortigate firewalls
meet the following requirements:
Increase log storage for Fortinet Fortigate firewall
As an estimate for initial sizing, note that the average
Fortinet Fortigate log size is roughly 1,070 bytes. For proper sizing
calculations, test the log sizes and log rates produced by your
Fortinet Fortigate firewalls. For more information, see Allocate Log Storage for Cortex XDR.
Configure the log device that receives Fortinet Fortigate
firewall logs to forward syslog events to the syslog collector.
Configure your firewall policy to log all traffic and forward
the traffic logs to the syslog collector. By logging all traffic,
you enable Cortex XDR to detect anomalous behavior from Fortinet
Fortigate firewall logs. For more information on setting up Log
Forwarding on Fortinet Fortigate firewalls, see the Fortinet FortiOS