Document toolboxDocument toolbox

firewall.fortinet

The tags begin with firewall.fortinet identifies log events generated by the following Fortinet technologies:

  • Fortinet FortiGate

  • Fortinet Unified Threat Management (UTM)

There are a large number of firewall.fortinet tags to accommodate the wide range of log types possible. 

Tag structure

The full tag must have at least two levels, although most require three or four levels. The first two are fixed as firewall.fortinet. The third level identifies the technology type. The fourth element is not always required but is usually fixed and may be automatically generated by the Devo relay rule. 

Technology

Brand

Type

Subtype

Technology

Brand

Type

Subtype

firewall

fortinet

  • anomaly

  • event

  • fortianalyzer

  • ips

  • securityevent

  • systemevent

  • traffic

  • utm

  • voip

may be fixed and required

These are the valid tags and corresponding data tables that will receive the parsers' data:

Source tagging

Devo table

Source tagging

Devo table

firewall.fortinet.anomaly.anomaly

firewall.fortinet.anomaly.anomaly

firewall.fortinet.event

firewall.fortinet.event

firewall.fortinet.event.admin

firewall.fortinet.event.admin

firewall.fortinet.event.config

firewall.fortinet.event.config

firewall.fortinet.event.dhcp

firewall.fortinet.event.dhcp

firewall.fortinet.event.dns

firewall.fortinet.event.dns

firewall.fortinet.event.fgd

firewall.fortinet.event.fgd

firewall.fortinet.event.ha

firewall.fortinet.event.ha

firewall.fortinet.event.his-performance

firewall.fortinet.event.hisPerformance

firewall.fortinet.event.ipsec

firewall.fortinet.event.ipsec

firewall.fortinet.event.pattern

firewall.fortinet.event.pattern

firewall.fortinet.event.perf.historical

firewall.fortinet.event.perf.historical

firewall.fortinet.event.sslvpn-session

firewall.fortinet.event.sslvpnSession

firewall.fortinet.event.sslvpn-user

firewall.fortinet.event.sslvpnUser

firewall.fortinet.event.system

firewall.fortinet.event.system

firewall.fortinet.event.user

firewall.fortinet.event.user

firewall.fortinet.event.vpn

firewall.fortinet.event.vpn

firewall.fortinet.event.wireless

firewall.fortinet.event.wireless

firewall.fortinet.fortianalyzer.analyzer

firewall.fortinet.fortianalyzer.analyzer

firewall.fortinet.ips

firewall.fortinet.ips

firewall.fortinet.ips.anomaly

firewall.fortinet.ips.anomaly

firewall.fortinet.traffic

firewall.fortinet.traffic

firewall.fortinet.traffic.allowed

firewall.fortinet.traffic.allowed

firewall.fortinet.traffic.forward

firewall.fortinet.traffic.forward

firewall.fortinet.traffic.local

firewall.fortinet.traffic.local

firewall.fortinet.traffic.multicast

firewall.fortinet.traffic.multicast

firewall.fortinet.traffic.other

firewall.fortinet.traffic.other

firewall.fortinet.traffic.violation

firewall.fortinet.traffic.violation

firewall.fortinet.utm

firewall.fortinet.utm

firewall.fortinet.utm.app-ctrl

firewall.fortinet.utm.appCtrl

firewall.fortinet.utm.dns

firewall.fortinet.utm.dns

firewall.fortinet.utm.emailfilter

firewall.fortinet.utm.emailfilter

firewall.fortinet.utm.ips

firewall.fortinet.utm.ips

firewall.fortinet.utm.virus

firewall.fortinet.utm.virus

firewall.fortinet.utm.webfilter

firewall.fortinet.utm.webfilter

firewall.fortinet.voip

firewall.fortinet.voip

firewall.fortinet.voip.voip

firewall.fortinet.voip.voip

For more information, read more about Devo tags.

Set up the Devo relay rule

You will need to define a relay rule that can correctly identify the event type and apply the corresponding tag. The events are identified by the source port that they are received on and by matching a format defined by a regular expression. 

The relay rule is different depending on if you are using FortiAnalyzer to manage the logs or if you are simply using FortiGate.

If you are using FortiAnalyzer

When the source conditions are met, the relay will apply a tag that begins with firewall.fortinet. A regular expression in the Source Data field describes the format of the event data and the target tag definition uses capturing groups to form the 3rd and 4th levels of the tag.

  • Source Port  13003

  • Source Data  type=\"{0,1}([^\s^\"]+)\"{0,1}\ssubtype=\"{0,1}([^\s^\"]+)\"{0,1}

  • Target Tag  firewall.fortinet.\\D1.\\D2.noncsv

  • Check the Sent without syslog tag and Stop processing checkboxes

If you are using just FortiGate

When the source conditions are met, the relay will apply a tag that begins with firewall.fortinet. A regular expression in the Source Data field describes the format of the event data and will depend on the version of FortiGate you are using:

Depending on the format of the sent event data, you must enter a different regular expression in the Source Data field:

  • Events are received in CSV format without quotes → ,type=([^,]+),subtype=([^,]+)(,|$)

  • Events are received in CSV format with double quotes → ,type=\"([^,]+)\",subtype=\"([^,]+)\"(,|$)

Data is then extracted from the event and used to create the third and fourth levels of the tag as needed. In the example below the rule is defined with the following settings:

If you are using Fortiedr

When the source conditions are met, the relay will apply a tag that begins with firewall.fortinet. All the events arriving at the designated port will have the tag firewall.fortinet.fortiedr.endpoint.

  • Source Port → 13003

  • Target Tag →firewall.fortinet.fortiedr.endpoint

  • Check the Sent without syslog tag and Stop processing checkboxes

Configure the forwarding of Fortinet logs

Using FortiAnalyzer

For deployments that aggregate FortiGate log data using FortiAnalyzer, follow the vendor instructions to configure the Devo relay as a remote syslog server using either the admin console or the FortiAnalyzer CLI. In both cases, you only need to enter the IP address of the Devo relay and specify the port on which you created the relay rule.

Using FortiGate/FortiOS

You need to have the Devo Relay IP address and the listening port number on hand when you configure your FortiGate product. In our example, here and in the relay rule above, we are sending FortiGate log events to the relay in CSV format.

  • Using the FortiGate GUI, go to Log & Report → Log Settings and select Remote Logging and Archiving to configure the Devo relay as a remote syslog server.

  • Using the FortiGate CLI, enter the following commands setting the server to the Devo relay IP address and the port to the relay port on which you created the rule.

Configuring syslog server in FortiGate CLI
config log syslogd setting set status enable set csv enable set reliable set facility local7 set server <relay_ip> set port <relay_port> end

For more details about FortiGate logging, see the vendor documentation.