FortiGate firewalls

The following sections show you how to configure FortiGate Next-Generation Firewall (NGFW) to send their log data to Axoflow.

Prerequisites

• You have administrative access to the firewall.
• The date, time, and time zone are correctly set on the firewall.
• You have an AxoRouter deployed and configured. This device is going to receive the logs from the firewall.

• You know the IP address the AxoRouter. To find it:

  1. Open the Axoflow Console.
  2. Select the Hosts or the Topology page.
  3. Click on AxoRouter instance that is going to receive the logs.
  4. Check the Networks > Address field.

Steps

Note: The steps involving the FortiGate user interface are just for your convenience, for details, see the official FortiGate documentation.

1. Log in to your FortiGate device. You need administrator privileges to perform the configuration.

2. Register the address of your AxoRouter as an Address Object.

   1. Select Log & Report > Log Settings > Global Settings.

   2. Configure the following settings:

      • Event Logging: Click All.
      • Local traffic logging: Click All.
      • Syslog logging: Enable this option.
      • IP address/FQDN: Enter the address of your AxoRouter: %axorouter-ip%

   3. Click Apply.

3. Add the appliance to Axoflow Console.

   1. Open the Axoflow Console and select Topology.
   2. Select + > Source.
   3. Select your source.
   4. Enter the parameters of the source, like IP address and FQDN.
   5. Select Create.

Labels

Axoflow automatically adds the following labels to data collected from this source:

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

Tested with: Fortinet FortiGate Add-On for Splunk technical add-on