FortiGate firewalls
The following sections show you how to configure FortiGate Next-Generation Firewall (NGFW) to send their log data to Axoflow.
CAUTION:
Make sure to set data forwarding as described in this guide. Different setting like other message format or port might be valid, but can result in data loss or incorrect parsing.Prerequisites
- You have administrative access to the firewall.
- The date, time, and time zone are correctly set on the firewall.
- You have an AxoRouter deployed and configured. This device is going to receive the logs from the firewall.
-
You know the IP address the AxoRouter. To find it:
- Open the Axoflow Console.
- Select the Hosts or the Topology page.
- Click on AxoRouter instance that is going to receive the logs.
- Check the Networks > Address field.
Steps
Note: The steps involving the FortiGate user interface are just for your convenience, for details, see the official FortiGate documentation.
-
Log in to your FortiGate device. You need administrator privileges to perform the configuration.
-
Register the address of your AxoRouter as an Address Object.
-
Select Log & Report > Log Settings > Global Settings.
-
Configure the following settings:
- Event Logging: Click All.
- Local traffic logging: Click All.
- Syslog logging: Enable this option.
- IP address/FQDN: Enter the address of your AxoRouter:
%axorouter-ip%
-
Click Apply.
-
-
Add the appliance to the Axoflow Console. For details, see Appliances.
Labels
Axoflow automatically adds the following labels to data collected from this source:
label | value |
---|---|
vendor | fortinet |
product | fortigate |
format | kv |
Sending data to Splunk
When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:
sourcetype | index |
---|---|
fortigate_event | netops |
fortigate_traffic | netfw |
fortigate_utm | netfw |
Tested with: Fortinet FortiGate Add-On for Splunk technical add-on