Skip to content
Find out how we support MDR.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=Fortigate

Fortinet FortiGate

Log collector

You must have the "Firewall" integrations license pack to use this feature.

You can integrate Fortinet FortiGate with Sophos Central. This lets FortiGate send firewall alerts to Sophos for analysis.

This integration uses a log collector hosted on a virtual machine (VM). Together they are called a data collector. The data collector receives third-party data and sends it to the Sophos Data Lake.

Note

You can add multiple Fortinet FortiGate firewalls to the same data collector.

To do this, set up your Fortinet FortiGate integration in Sophos Central, then configure one firewall to send logs to it. Then configure your other Fortinet FortiGate firewalls to send logs to the same Sophos data collector.

You don't have to repeat the Sophos Central part of the setup.

The key steps to add an integration are as follows:

  • Add an integration for this product. This configures an image to use on a VM.
  • Download and deploy the image on your VM. This becomes your data collector.
  • Configure FortiGate to send data to the data collector.

Requirements

Data collectors have system and network access requirements. To check that you meet them, see Data collector requirements.

Add an integration

To add the integration, do as follows:

  1. Sign in to Sophos Central.
  2. Go to Threat Analysis Center > Integrations.

  3. Click Fortinet FortiGate.

    If you've already set up connections to FortiGate, you see them here.

  4. In Integrations, click Add.

    Note

    If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See My domains and IPs.

    Integration steps appears.

Configure the VM

In Integration setup steps you configure your VM to receive data from FortiGate. You can use an existing VM, or create a new one.

To configure the VM, do as follows:

  1. Enter an integration name and description.

  2. Enter a name and description for the data collector.

    If you've already set up a data collector integration you can choose it from a list.

  3. Select the virtual platform. Currently we support VMware ESXi 6.7 or later and Microsoft Hyper-V 6.0.6001.18016 (Windows Server 2016) or later.

  4. Specify the IP settings for the Internet-facing network ports. This sets up the management interface for the VM.

    • Select DHCP to assign the IP address automatically.

      Note

      If you select DHCP, you must reserve the IP address.

    • Select Manual to specify network settings.

  5. Select the Syslog IP version and enter the Syslog IP address.

    You'll need this syslog IP address later, when you configure Fortigate to send data to your data collector.

  6. Select a Protocol.

    You must use the same protocol when you configure Fortigate to send data to your data collector.

  7. Click Save.

    We create the integration and it appears in your list.

    In the integration details, you can see the port number for the data collector. You'll need this later when you configure Fortigate to send data to it.

    It might take a few minutes for the VM image to be ready.

Deploy the VM

Restriction

If you're using ESXi, the OVA file is verified with Sophos Central, so it can only be used once. If you have to deploy another VM, you must create an OVA file again in Sophos Central.

Use the VM image to deploy the VM. To do this, do as follows:

  1. In the list of integrations, in Actions, click the download action for your platform, for example Download OVA for ESXi.
  2. When the image download finishes, deploy it on your VM. See Deploy a VM for integrations.

When you've deployed the VM, the integration shows as Connected.

Configure FortiGate

Now you configure FortiGate to send alerts to the Sophos data collector on the VM.

  1. Sign into the command-line interface (CLI).

  2. Enter the following commands to turn on syslog forwarding and send data to your data collector. Ensure you use the correct commands for your FortiGate version.

    config log syslogd setting
set status enable
set facility user
set port <port number of your data collector>
set server <syslog IP address of your data collector> 
set mode udp
set format cef
end

    config log syslogd setting
set status enable
set facility user
set port [port number of your data collector]
set server [syslog IP address of your data collector] 
set format cef
set reliable disable
end

Note

You can configure up to four syslog servers on FortiGate. Just replace syslogd with syslogd2, sylsogd3 or syslogd4 in the first line to configure each syslog server.

Your FortiGate alerts should now appear in the Sophos Data Lake after validation.

Customize alerts

Most FortiGate features are logged by default.

To make sure the Traffic, Web and URL Filtering features are logged, enter the following commands. Ensure you use the correct commands for your FortiGate version.

config log syslogd filter
set severity warning
set forward-traffic enable
set local-traffic enable
set multicast-traffic enable
set sniffer-traffic enable
set anomaly enable
end

config log syslogd filter 
set traffic enable
set web enable 
set url-filter enable 
end

FortiGate 5.4 and later can also log referrer URLs. A referrer URL is the address of the web page where a user clicked a link to go to the current page. This is useful for web usage analysis.

To turn on referrer URL logging for each web profile, do as follows: 

config webfilter profile 
edit [Name of your profile] 
set log-all-url enable 
set web-filter-referer-log enable 
end

More resources

This video takes you through setting up the integration.

For more information on logging to a remote syslog server, see Fortinet’s Logging and Reporting Guide.