In cases where the attacks avoid domain resolution, the traces of adversarial contact can lie in the access logs of firewalls. This option is also available for accommodating networks where DNS configuration is not possible. In this scenario, the firewall forwards the logs to Lumu’s VA for processing traffic. If the firewall has URL filtering enabled, and the URLs can be included in the logs, all the IT assets using the firewall would be monitored. This approach ensures compromise visibility without having to make major changes.
In this guide, we provide you with instructions and resources on how to configure FortiAnalyzer to forward all Firewall logs to Lumu through Virtual Appliance.
These are the general steps you should follow to configure a syslog server on a FortiGate to send all metadata to Lumu:
All the detailed steps and guidance to create, download and install a virtual appliance on your preferred hypervisor or Cloud solution are available in our documentation:
Go to the Lumu Virtual Appliance and refresh the VA Collectors settings by running the command lumu-appliance collectors refresh . If the appliance is running, it should be stopped for setting up collectors.
Select the option that refers to FortiGate and the format that suits you best, then inform the following data:
You can add up to 5 forwarding configurations in FortiAnalyzer. To add a new configuration, follow these steps on the GUI:
1. Go to System Settings > Log Forwarding .
2. Click on the Create New option in the toolbar. The Create New Log Forwarding pane opens.
3. Fill in the information using the following table as a reference:
Item Description Name Enter the name for the remote serverStatus Set the toggle to On Remote Server Type Select Syslog Server Address Enter the Lumu VA IP address Server Port Enter the Lumu VA collector configured port Reliable Connection Set the toggle to On if you configured the VA collector to use TCP, otherwise, set it to Off Sending frequency Select Real-time to forward logs in near-real time Log Forwarding Filters Define filters if you want to exclude some devices. Make sure that traffic and webfilter traffic types are included in the filter if you need to explicitly add filters 4. Save your configuration.