Documentation Center
AlienVault® USM Appliance™

Fortinet FortiGate

When you configure Fortinet FortiGate to send log data to USM Appliance, you can use the FortiGate plugin to translate the raw log data into normalized events for analysis.

Device Details
Vendor Fortinet
Device Type Firewall
Connection Type Syslog
Data Source Name fortigate
Data Source ID 1554

Integrating Fortinet FortiGate

Before you configure the Fortinet FortiGate integration, you must have the IP Address of the USM Appliance Sensor. You can configure FortiGate from either the web UI or CLI.

To configure FortiGate to send log data to USM Appliance from the web UI

  1. Log into the Fortinet console, and go to Log & Report > Log Config > Log Settings.
  2. Select Send Logs to Syslog and specify the USM Appliance Sensor IP address.

  3. In Event Logging, select all the event types you want to capture.

  4. Click Apply.

To configure FortiGate to send log data to USM Appliance from the CLI

  • Open the Fortinet CLI Console and enter:

    config log syslogd setting

    set status enable

    set csv disable

    set facility local7

    set port 514

    set reliable disable

    set server <IP address of the USM Appliance Sensor>

    set source-ip <Default: 0.0.0.0>

    end

    Note: Fortinet allows up to three remote syslog servers: {syslogd|syslogd2|syslogd3}.

If Virtual Domains (VDOMs) are enabled, each VDOM will use the default FortiAnalyzer/Syslog server, but you can override it from the CLI, allowing you to specify a different FortiAnalyzer/Syslog server for that VDOM.

Use this command within a VDOM to override the global configuration created with the config log syslogd setting command above. These settings configure the connection to the USM Appliance Sensor.

To override global configuration for a specific VDOM

  • From the Fortinet CLI Console, enter:

    config log syslogd override-setting

    set override enable

    set status enable

    set csv disable

    set facility local7

    set port 514

    set reliable disable

    set server <IP address of the USM Appliance Sensor>

    set source-ip <Default: 0.0.0.0>

    end

Plugin Enablement

For plugin enablement information, see Enable Plugins.

Troubleshooting

For troubleshooting, refer to the vendor documentation:

https://www.fortinet.com/products-services/products/firewall.htm

http://docs.fortinet.com/d/fortigate-troubleshooting-2