How do you ingest Fortinet Firewall logs in SO 2.4?

[bdavedu]

Hi there,

I'm looking to ingest Fortinet Firewall (firmware 7.4.0) logs as I did in SO 2.3 (just reading documentation), but I have problems with it in SO 2.4 because I could not find where filebeat modules can be configured.
I looked for documentation but the only thing I found is about Fortinet Firewall integration with ElasticAgent. The problem is that I can not figure out how to deploy an agent on Forti.

Thank you in advance!

[dougburks]

Are you looking to send Fortinet firewall logs via syslog? Have you looked at the Fortigate integration?
https://docs.elastic.co/integrations/fortinet_fortigate

Also see:
https://docs.securityonion.net/en/2.4/elastic-agent.html
https://docs.securityonion.net/en/2.4/elastic-fleet.html
https://docs.elastic.co/integrations

[bdavedu]

Yes, I am trying to ingest fortinet logs via syslog. As I said I achieved it with SO 2.3 using filebeat thirdparty modules. But I struggle with SO 2.4. I looked at the Fortigate integration but I don't understand how to deploy/use it without an ElasticAgent on my Fortinet Firewall.

I tried to add Fortigate integration to my managersearch policy and to open udp port 9004 for it, but it doesn't work. I doesn't recieve any log.

[dougburks]

If you run tcpdump on your Security Onion management interface, do you see the traffic arriving on port 9004?

[bdavedu]

Hi. I was offline somedays. I finally achieved logs ingest. I did exactly what you said above and observed that logs were arriving to the port 9004. So then I inspected firewall config and released that I only allowed my FortiGate IP and port in the DOCKER-USER and didn't allowe it in the INPUT field. After allowing both options the logs have started to appear.

P.S. If someone has the same problem be careful with the FortiGate's IP that you allow in SO firewall because if you use Virtual Domains in FortiGate you have to consider internal routing so the IP that send logs can be different to expected.

@dougburks Thank you!!!