Skip to content
Find out how we support MDR.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=fortianalyzer-log-collector

Fortinet FortiAnalyzer (Log collector)

Log collector

You must have the Firewall integrations license pack to use this feature.

Note

An API-based integration of FortiAnalyzer is also available. See Fortinet FortiAnalyzer (API).

You can integrate Fortinet FortiAnalyzer with Sophos Central so that it sends firewall alerts to Sophos for analysis.

This integration uses a log collector hosted on a virtual machine (VM). Together they're called an appliance. The appliance receives third-party data and sends it to the Sophos Data Lake.

Note

You can add multiple Fortinet FortiAnalyzer firewalls to the same appliance.

To do this, set up your Fortinet FortiAnalyzer integration in Sophos Central, then configure one firewall to send logs to it. Then configure your other Fortinet FortiAnalyzer firewalls to send logs to the same Sophos appliance.

You don't have to repeat the Sophos Central part of the setup.

The key steps are as follows:

  • Configure an integration for this product. This configures an image to use on a VM.
  • Download and deploy the image on your VM. This becomes your appliance.
  • Configure FortiAnalyzer to send data to the appliance.

Requirements

Appliances have system and network access requirements. To check that you meet them, see Appliance requirements.

Configure an integration

To configure the integration, do as follows:

  1. In Sophos Central, go to Threat Analysis Center > Integrations > Marketplace.

  2. Click Fortinet FortiAnalyzer (Log collector).

    The Fortinet FortiAnalyzer (Log collector) page opens. You can configure integrations here and see a list of any you've already configured.

  3. In Data Ingest (Security Alerts), click Add Configuration.

    Note

    If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See My domains and IPs.

    Integration setup steps appears.

Configure the VM

In Integration setup steps you configure your VM as an appliance to receive data from FortiAnalyzer. You can use an existing VM, or create a new one.

To configure the VM, do as follows:

  1. Enter an integration name and description.

  2. Enter a name and description for the appliance.

    If you've already set up a Sophos appliance, you can choose it from a list.

  3. Select the virtual platform. Currently we support VMware ESXi 6.7 Update 3 or later and Microsoft Hyper-V 6.0.6001.18016 (Windows Server 2016) or later.

  4. Specify the IP settings for the Internet-facing network ports. This sets up the management interface for the VM.

    • Select DHCP to assign the IP address automatically.

      Note

      If you select DHCP, you must reserve the IP address.

    • Select Manual to specify your network settings.

  5. Select the Syslog IP version and enter the Syslog IP address.

    You'll need this syslog IP address later, when you configure FortiAnalyzer to send data to your appliance.

  6. Select a Protocol.

    You must use the same protocol later when you configure FortiAnalyzer to send data to your appliance.

  7. Click Save.

    We create the integration and it appears in your list.

    In the integration details, you can see the port number for the appliance. You'll need this later when you configure FortiAnalyzer to send data to it.

    It might take a few minutes for the VM image to be ready.

Deploy the VM

Restriction

If you're using ESXi, the OVA file is verified with Sophos Central, so it can only be used once. If you deploy another VM, you must create an OVA file again in Sophos Central.

Use the VM image to deploy the VM. To do this, do as follows:

  1. In the list of integrations, under Actions, click the download action for your platform, for example Download OVA for ESXi.
  2. When the image download finishes, deploy it on your VM. See Deploy a VM for integrations.

Configure FortiAnalyzer

Now you configure FortiAnalyzer to send alerts to the Sophos appliance on the VM.

You can configure log forwarding in the FortiAnalyzer console as follows:

  1. Go to System Settings > Log Forwarding.
  2. Click Create New.

  3. On the Create New Log Forwarding page, enter the following details:

    1. Name: Enter a name for the server, for example "Sophos appliance".
    2. Status: Set this to On.
    3. Remote Server Type: Select Common Event Format (CEF).
    4. Server IP: Enter the IP address of your appliance. This is the syslog IP address you entered in Sophos Central.
    5. Server Port: Enter the port number you set in Sophos Central.
    6. Reliable Connection: Turn this on to use a TCP connection. Turn it off to use a UDP connection. This must match the protocol that you set earlier in Sophos Central.
    7. Sending Frequency. Skip this option. It is only for FortiAnalyzer servers.
    8. Log Forwarding Filters: We recommend that you don't apply filters to FortiAnalyzer. Sophos applies filtering at the appliance.
    9. Click OK.

The FortiAnalyzer device will start forwarding logs to the appliance.