If you use Fortinet Fortigate firewalls, you
can still take advantage of Cortex XDR investigation and detection
capabilities by forwarding your firewall logs to Cortex XDR. This
enables Cortex XDR to examine your network traffic to detect anomalous
behavior. Cortex XDR can use Fortinet Fortigate firewall logs as
the sole data source, but can also use Fortinet Fortigate firewall
logs in conjunction with Palo Alto Networks firewall logs. For additional
endpoint context, you can also use Cortex XDR to collect and alert
on endpoint data.
As an estimate for initial sizing, note
that the average Fortinet Fortigate log size is roughly 1,070 bytes.
For proper sizing calculations, test the log sizes and log rates
produced by your Fortinet Fortigate firewalls.
As soon as
Cortex XDR starts to receive logs, the app can begin analyzing and
raising Analytics alerts. Cortex XDR stores Analytics alerts according
to your Cortex Data Lake storage retention policy but does not store
the Fortinet Fortigate firewall logs. As a result, you cannot query
or apply IOC and BIOC rule matching to Fortinet Fortigate firewall logs.
integrate your logs, you first need to set up an applet in a broker
VM within your network to act as a syslog collector. You then configure
forwarding on your log devices to send logs to the syslog collector.
Configure the log device that receives Fortinet Fortigate
firewall logs to forward syslog events to the syslog collector.
Configure your firewall policy to log all traffic and forward
the traffic logs to the syslog collector. By logging all traffic,
you enable Cortex XDR to detect anomalous behavior from Fortinet
Fortigate firewall logs. For more information on setting up Log
Forwarding on Fortinet Fortigate firewalls, see the Fortinet FortiOS