Skip to content

Fortigate

This guide covers how to configure your Fortigate firewall to send syslog data to FortiDragon.

Syslog Configuration

Configure syslog using RFC5424 format (recommended):

config log syslogd setting
    set status enable
    set server <collector_ip>
    set port 5140
    set format rfc5424
end

Firewall Naming Convention

When using syslog RFC5424 format, be careful with your firewall hostname:

  • MY_FIREWALL_SITEA will NOT work
  • MY-FIREWALL-SITEA will work

Use hyphens instead of underscores in hostnames.

Optional Configurations

Extended Logging

Enable extended logging on webfilter for more detailed information:

config webfilter profile
    edit "test-webfilter"
        set extended-log enable
        set web-extended-all-action-log enable
    next
end

Extended Log Limitations

You may get a warning about changing to reliable syslogd. Remember:

  • Reliable Syslog servers: Full rawdata field of 20KB
  • Other devices (disk, FortiAnalyzer, UDP): Maximum 2KB total log length

SD-WAN Performance Logging

To collect metrics about SD-WAN Performance SLAs, configure health-check logging:

config health-check
    edit "Google"
        set server "8.8.8.8" "8.8.4.4"
        set sla-fail-log-period 10
        set sla-pass-log-period 30
        set members 0
        config sla
            edit 1
                set latency-threshold 100
                set jitter-threshold 10
                set packetloss-threshold 5
            next
        end
    next
end

Custom Fields

You can inject custom fields into Fortigate's syslog for additional context:

config log custom-field
    edit "3"
        set name "org"
        set value "some_organization_name"
    next
end

config log setting
    set custom-log-fields "3"
end

Log CLI debug commands

In addition to execute and config commands, show, get, and diagnose commands are recorded in the system event logs.

config system global
    set cli-audit-log enable
end

Include zone fields in logs

The srczone and dstzone fields can be enabled in logs using the following command:

config log setting
    set zone-name enable
end

Log REST API events

To enable REST API events logging in the CLI:

config log setting
    set rest-api-set enable
    set rest-api-get enable
end

Generate unique user name for anonymized logs

To encrypt the user name for logs in the GUI:

config log setting
    set user-anonymize enable
    set anonymization-hash "random"
end

Verification

After configuration, verify that logs are being sent on your collector host (Vector):

sudo tcpdump -i any port 5140

Troubleshooting

Problem Solution
No logs received Check firewall rules between Fortigate and collector
You do receive packets, but see no logs ingested Use hyphens instead of underscores in hostname

Next Steps

Once Fortigate is configured:

  1. Install Vector

  2. Set up Victoria Logs or Elasticsearch

  3. Import dashboards in Grafana or Kibana

  4. Start dancing with your logs!