Collect FortiGate Firewall Metadata with FortiAnalyzer and Lumu VA

Collect FortiGate Firewall Metadata with FortiAnalyzer and Lumu VA

In scenarios where all your FortiGate deployment logs are centralized within a FortiAnalyzer, you can use it to accelerate the deployment of Lumu and forward all firewall logs at once using the FortiAnalyzer data collection capabilities from Lumu. The Lumu Virtual Appliance (VA) offers the option to create Collectors, a seamless way to integrate with network metadata of your entire enterprise and forward it to the Lumu cloud with the lowest impact on the network operation

In cases where the attacks avoid domain resolution, the traces of adversarial contact can lie in the access logs of firewalls. This option is also available for accommodating networks where DNS configuration is not possible. In this scenario, the firewall forwards the logs to Lumu’s VA for processing traffic. If the firewall has URL filtering enabled, and the URLs can be included in the logs, all the IT assets using the firewall would be monitored. This approach ensures compromise visibility without having to make major changes.

In this guide, we provide you with instructions and resources on how to configure FortiAnalyzer to forward all Firewall logs to Lumu through Virtual Appliance.

Requirements

  • FortiAnalyzer version 7.00+.
  • Have admin access to create a new Forwarding configuration.
  • Have the most recent version of the Lumu Virtual Appliance installed.

These are the general steps you should follow to configure a syslog server on a FortiGate to send all metadata to Lumu:


Deploy and Set Up Lumu VA

All the detailed steps and guidance to create, download and install a virtual appliance on your preferred hypervisor or Cloud solution are available in our documentation:

Set up a Lumu VA Firewall Log Collector

Go to the Lumu Virtual Appliance and refresh the VA Collectors settings by running the command lumu-appliance collectors refresh . If the appliance is running, it should be stopped for setting up collectors.


Select the option that refers to FortiGate and the format that suits you best, then inform the following data:

  • Protocol type: you can select between TCP and UDP according to your infrastructure and your FortiGate’s settings.
  • Port number: provide a number between 1024 and 65535, inclusive.
  • Timezone: The timezone for setting up the VA. Use the canonical ID (e.g. America/Chicago). You can use this external article for reference.


Configure FortiAnalyzer to Send Metadata to Lumu VA

You can add up to 5 forwarding configurations in FortiAnalyzer. To add a new configuration, follow these steps on the GUI:

1. Go to System Settings > Log Forwarding .

2. Click on the Create New option in the toolbar. The Create New Log Forwarding pane opens.

3. Fill in the information using the following table as a reference:

ItemDescription
Name
Enter the name for the remote server
StatusSet the toggle to On
Remote Server TypeSelect Syslog
Server AddressEnter the Lumu VA IP address
Server PortEnter the Lumu VA collector configured port
Reliable ConnectionSet the toggle to On if you configured the VA collector to use TCP, otherwise, set it to Off
Sending frequencySelect Real-time to forward logs in near-real time
Log Forwarding FiltersDefine filters if you want to exclude some devices. Make sure that traffic and webfilter traffic types are included in the filter if you need to explicitly add filters


4. Save your configuration.
For more details on the configuration settings, consult the Fortinet official documentation about Configuring log forwarding.

    Still can’t find an answer?
    Send a message to our experts.
    Contact Us

        • Related Articles

        • Collect Metadata with Lumu VA

          The Lumu Virtual Appliance (VA) offers the option to create VA collectors, a seamless way to integrate the network metadata of your entire enterprise into the Lumu cloud with the lowest impact on the network operation. Collecting metadata other than ...

        • Collect Firewall metadata with Lumu VA and FortiGate

          Requirements FortiGate Next Generation Firewall version 5.6+. Have admin access to configure a syslog server on FortiGate. Have the most recent version of the Lumu Virtual Appliance installed. These are the general steps you should follow to ...

        • Lumu Virtual Appliance Collectors

          To get started with Lumu Virtual Appliances, consult our Introduction to Lumu Virtual Appliances article. The Lumu Virtual Appliance (VA) is a pre-configured lightweight virtual machine solution that collects the network metadata of your entire ...

        • Collect Firewall Metadata with Lumu VA and Juniper SRX

          Requirements Juniper SRX Firewall Junos version 20+. Have admin access to configure a Syslog server on Juniper SRX. Have the most recent version of the Lumu Virtual Appliance installed. These are the general steps you should follow to configure a ...

        • Collect Firewall metadata with Lumu VA and WatchGuard

          Requirements Admin access to configure a syslog server on WatchGuard. The most recent version of the Lumu Virtual Appliance installed. These are the general steps you should follow to configure a syslog server on a WatchGuard Firewall to send all ...