This article describes how to integrate FortiGate with Microsoft Sentinel through AMA.
Scope
FortiGate.
Solution
To Integrate the FortiGate Firewall on Azure to Send the logs to Microsoft Sentinel with a Linux Machine working as a log forwarder, follow the below steps:
Step 1: From the Content hub in Microsoft Sentinel, install the Fortinet FortiGate Next-Generation Firewall Connector:
The ‘Fortinet via AMA’ Data connector is visible:
Step 2: Open connector page, the following steps will appear:
Step A
To configure the CEF with AMA data Connector, it is necessary to have a designated Linux VM as a log forwarder to collect logs.
As an example, Ubuntu 20.04 is used Syslog-NG is installed. It is possible to use any other version that the AMA supports with either Syslog-NG or Rsyslog.
Install Syslog-ng on Ubuntu:
The installation steps below are for Ubuntu 20.04, but it is possible to use them with minimal modifications in any other supported distributions, just change the URLs.
Step 1: Download and install the release key:
wget -qO: https://ose-repo.syslog-ng.com/apt/syslog-ng-ose-pub.asc | sudo apt-key add
Step 1: Add the repository containing the latest stable build of Syslog-ng to the APT sources. For example, on Ubuntu 20.04:
echo ;deb https://ose-repo.syslog-ng.com/apt/ stable ubuntu-focal' | sudo tee -a /etc/apt/sources.list.d/syslog-ng-ose.list
Step 1: Run the following command:
apt-get update
Install Syslog-ng and any of its sub-packages:
apt-get install syslog-ng-core syslog-ng-scl
Configure the Data Connector:
Navigate to Microsoft Sentinel workspace > Configuration > Data connector blade. Search for the ‘Common Event Format (CEF) via AMA’ data connector and install it.
Open the connector page.
Check If there is no existing DCR configured to collect the required facility of logs, Create a new DCR (Data Collection Rule). In the Resources section, choose the Linux VM created to forward the logs.
Select which data source type and the data to collect for the resource(s). Whatever is configured here, should match the configuration on the FortiGate to send to the Linux Log Forwarded
Local7 and LOG_NOTICE Level have been selected which will match the FortiGate.
This is the final result:
Run the command provided in the CEF via the AMA data connector page to configure the CEF collector on the machine
sudo wget -O Forwarder_AMA_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Forwarder_AMA_in... python3 Forwarder_AMA_installer.py
Step B
Configure the FortiGate to send the logs to the Linux Machine, SSH to the FortiGate Instance, or open a CLI Console:
config log syslogd setting set status enable set server <----- The IP Address of the Log Forwarder. set mode udp set port 514 set facility local7 set format cef end
Notice that the facility to local7 has been configured which is matching to the Data Collection Rule on Azure and the format as CEF has been configured.
Step C
To verify that the connector is installed correctly, run the troubleshooting script:
sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_tro... python3 Sentinel_AMA_troubleshoot.py --cef
The FortiGate is integrated with Sentinel and the logs are also visible:
