Document toolboxDocument toolbox

firewall.fortinet

Owned by Juan Tomás Alonso Nieto (Deactivated)
Jul 06, 2022
3 min read
[ 1 Tag structure ] [ 2 Set up the Devo relay rule ] [ 3 Configure the forwarding of Fortinet logs ]

The tags beginning with firewall.fortinet identify log events generated by the following Fortinet technologies:

  • Fortinet FortiGate

  • Fortinet Unified Threat Management (UTM)

There are a large number of firewall.fortinet tags to accommodate the wide range of log types possible. 

Tag structure

The full tag must have at least two levels, although most require three and four levels. The first two are fixed as firewall.fortinet. The third level identifies the technology type and must be one of event, traffic, ips, utm, or anomaly. The fourth element is not always required but is usually fixed and may be automatically generated by the Devo relay rule. 

Technology

Brand

Type

Subtype

Technology

Brand

Type

Subtype

firewall

fortinet

  • event

  • traffic

  • ips

  • utm

  • anomaly

may be fixed and required

Here's a complete list of valid tags:

  • firewall.fortinet

  • firewall.fortinet.anomaly.anomaly

  • firewall.fortinet.event

  • firewall.fortinet.event.admin

  • firewall.fortinet.event.config

  • firewall.fortinet.event.dhcp

  • firewall.fortinet.event.dns

  • firewall.fortinet.event.ha

  • firewall.fortinet.event.his-performance

  • firewall.fortinet.event.ipsec

  • firewall.fortinet.event.pattern

  • firewall.fortinet.event.perf-historical

  • firewall.fortinet.event.sslvpn-session

  • firewall.fortinet.event.sslvpn-user

  • firewall.fortinet.event.system

  • firewall.fortinet.event.user

  • firewall.fortinet.event.vpn

  • firewall.fortinet.event.wireless

  • firewall.fortinet.ips.anomaly

  • firewall.fortinet.traffic

  • firewall.fortinet.traffic.forward

  • firewall.fortinet.traffic.local

  • firewall.fortinet.traffic.multicast

  • firewall.fortinet.traffic.other

  • firewall.fortinet.traffic.violation

  • firewall.fortinet.utm.app-ctrl

  • firewall.fortinet.utm.dns

  • firewall.fortinet.utm.emailfilter

  • firewall.fortinet.utm.ips

  • firewall.fortinet.utm.virus

  • firewall.fortinet.utm.webfilter

For more information, read more about Devo tags.

Set up the Devo relay rule

You will need to define a relay rule that can correctly identify the event type and apply the corresponding tag. The events are identified by the source port that they are received on and by matching a format defined by a regular expression. 

The relay rule is different depending on if you are using FortiAnalyzer to manage the logs or if you are simply using FortiGate.

If you are using FortiAnalyzer

When the source conditions are met, the relay will apply a tag that begins with firewall.fortinet. A regular expression in the Source Data field describes the format of the event data and the target tag definition uses capturing groups to form the 3rd and 4th levels of the tag.

  • Source Port → 13003

  • Source Data → type=\"{0,1}([^\s^\"]+)\"{0,1}\ssubtype=\"{0,1}([^\s^\"]+)\"{0,1}

  • Target Tag → firewall.fortinet.\\D1.\\D2.noncsv

  • Check the Sent without syslog tag and Stop processing checkboxes

If you are using just FortiGate

When the source conditions are met, the relay will apply a tag that begins with firewall.fortinet. A regular expression in the Source Data field describes the format of the event data and will depend on the version of FortiGate you are using:

Depending on the format of the sent event data, you must enter a different regular expression in the Source Data field:

  • Events are received in CSV format without quotes → ,type=([^,]+),subtype=([^,]+)(,|$)

  • Events are received in CSV format with double quotes → ,type=\"([^,]+)\",subtype=\"([^,]+)\"(,|$)

Data is then extracted from the event and used to create the third and fourth levels of the tag as needed. In the example below the rule is defined with the following settings:

  • Source Port → 13003

  • Source Data → ,type=([^,]+),subtype=([^,]+)(,|$) (this regular expression is based on receiving events in CSV format without quotes, as explained above)

  • Target Tag → firewall.fortinet.\\D1.\\D2

  • Check the Sent without syslog tag and Stop processing checkboxes

 

Configure the forwarding of Fortinet logs

Using FortiAnalyzer

For deployments that aggregate FortiGate log data using FortiAnalyzer, follow the vendor instructions to configure the Devo relay as a remote syslog server using either the admin console or the FortiAnalyzer CLI. In both cases, you only need to enter the IP address of the Devo relay and specify the port on which you created the relay rule.

Using FortiGate/FortiOS

You need to have the Devo Relay IP address and the listening port number on hand when you configure your FortiGate product. In our example, here and in the relay rule above, we are sending FortiGate log events to the relay in CSV format.

  • Using the FortiGate GUI, go to Log & Report → Log Settings and select Remote Logging and Archiving to configure the Devo relay as a remote syslog server.

  • Using the FortiGate CLI, enter the following commands setting the server to the Devo relay IP address and the port to the relay port on which you created the rule.

Configuring syslog server in FortiGate CLI
config log syslogd setting set status enable set csv enable set reliable set facility local7 set server <relay_ip> set port <relay_port> end

For more details about FortiGate logging, see the vendor documentation.