Shipping Fortigate Logs to Distributed SO 2.4.20

[NexusChak]

Was reading through conversation between @dougburks and @bdavedu on #11321. As I don't quite get the concept behind SO's firewall settings, I'm having a hard time setting this up as well. My current setup is a v2.4.20 distributed cluster with a ManagerSearch node and Forward node (which I believe it's called sensor?)

Background Information:

Both ManagerSearch node and sensor tie to the same policy, which has Fortinet-Fortigate integration setup on port 9004.
Fortigate log is now being sent to sensor node via TCP syslog on port 9004.
tcpdump shows there are logs arriving sensor node.
On SO's firewall settings, I have configured "customhostgroup1" and "customportgroup1" with the Fortigate firewall IP and port 9004.
Under SO's firewall -> role -> sensor -> chain, I have set both DOCKER-USER and INPUT's customhostgroup1 -> portgroups to "customportgroup1.
For those external logs, like Fortigate logs in this case, should I have the syslog send to the ManagerSearch Node or Sensor, or I need to setup anything else? Just wondering am I doing anything wrong, and what would be the recommended way to do so.

How should I understand the SO's firewall settings? My understanding now is that logs are sending to sensor node, that's why I go to role -> sensor, and use cusomt hostgroup and port group to control the sensor node, and make it allow access from my Fortigate firewall to sensor node's port 9004. Is this a correct understanding?

Is there any other configuration needed to make logs flow from Sensor node and ManagerSearch node?

Is that going to be the same case for network traffic?

Any help will be appreciated. Thanks in advanced.

[bdavedu]

Hi, I hope it will help you.

SO Firewall Configuration:
From the Web UI of the OS we go to Administration -> Configuration -> Firewall. Once there, we first configure the source IP of the logs in "hostgroups". We select "customhostgroup1" and enter the IP of the forti (be careful since if there are VDOMs there may be IP routing so the IP that sent logs may be different from the one that acts as a gateway for the log source network.

Next, from "portgroups" we configure the destination port of the logs, in this case 9004. We configure it to "UDP" in "customportgroup1"

Finally, in the "role" tab we look for the role of our so-manager, in this case "managersearch". Then we go to chain -> DOCKER-USER -> hostgrpups -> customhostgroup1 -> portgroups-> and put customportgroup1. We do the same in chain -> INPUT.

Fortinet Fortigate logs integration configuration in elasticfleet:

From Kibana's Web UI we go to "Fleet". Then we go to "Agent Policies" and from there we create a copy of the "so-grid-nodes_general" policy. Then we go to "Agents" and assign the so-manager agent to the new policy created.

We click on the created policy and then click "Add integration". We search for "Fortinet FortiGate Firewall Logs" and install it. In the configuration we only enable logs via UDP on port 9004 and for IP 0.0.0.0.

Checks:
We can verify through TCP dump in the so-manager that packets arrive through port 9004.

[NexusChak]

@jaypfe Just had the deprecated one installed. And it just worked, now I'm getting the firewall logs. But they are not parsed. Is it supposed to be unparsed?

I believe something might went wrong with SO 2.4.20 and the new Fortinet integration.

[bdavedu]

I use this integration on 2.4.10.

[jaypfe]

So I used the new one that you are showing there but could never get any logs to actually come through.

I could cheat it if I modified the index to bypass the fleet.final pipeline. I think I could arrive at the problem with enough messing around. But in the mean time I used the deprecated one and configured the fortigate area of the integration. Logs started coming in, and they were parsed just like you would expect.

@JustAEngineer can you drop your config here please?

Also, you can make any integration work, you just need to build the index template. I have had discussions out here before where we worked through that back on .10. I also same the same exact discussion you posted already out there. But if you do a search for fortinet, or fortigate in the 2.4 section you will see them.

[NexusChak]

Just some updates, after removing all Forinet related components (including data stream, index template and its component templates and data views, etc). Then delete and install the latest version of Fortigate integration worked for me now. @jaypfe You may wanna give it a try.

But now I came to a new question, the default SO index template (so-logs) has a priority of 225, which is higher than the Fortigate integration created template (with priority 200), which means those Forigate indexes will only apply the "so-logs" template. This makes it difficult to manage and apply custom ILM policy. I have tried making the Fortigate template a priority of 250, it applies to the new coming index, but the status turned "Yellow" and no log is available to come in. Do you know what's happening here, and if it's recommended for all integrations to apply the "so-logs" template only?

[PacketAttack-NetSecOps]

This is my first go with SecOnion. Was really trying to have it act as my full log manager SIEM for all network devices starting with Fortinet devices. I have a clean Standalone install of 24.20 but still struggling to get the Fortigate logs to show. TCP dump shows SO is accepting UDP port 9004 syslog traffic from my Fortigate. Will work through the suggestions here and report back.