FortiGate

Overview

FortiGate ingests and normalizes logs from Fortinet's next-generation firewall (NGFW) and unified threat management (UTM) platform in Logpoint. Once ingested, you can explore and analyze the data using Logpoint's search capabilities and available analytics for this integration, including dashboards, reports, and alerts. This gives you clear visibility into network traffic, web filtering, attack detection, threat protection, VPN activity, system events, and user authentication, enabling faster detection, compliance, and response.

The integration includes:

• Syslog Collector to retrieve raw logs from FortiGate devices and ingest them into Logpoint for processing.

• Syslog Parser to extract key fields from raw FortiGate logs.

• FortiOSCompiledNormalizer and FortiCEFCompiledNormalizer to convert the parsed logs into a standardized format for consistent analysis across Logpoint. These normalizers are compatible with CNDP (CompiledNormalizer Date Preference).

• Dashboard packages (LP_FortiGate: Attack, LP_FortiGate: General, LP_FortiGate: System Overview, LP_FortiGate: Traffic, LP_FortiGate: Web, LP_FortiGate: Web - Extended, LP_FortiMail), which provide a graphical and interactive overview of FortiGate activities, highlighting patterns including attack distribution, bandwidth usage, web filtering actions, email security, and configuration changes. It allows you to quickly spot unusual behavior, monitor compliance, and track operational changes over time.

• Report packages (LP_Fortigate, LP_Fortigate - Extended) that let you generate time-bound summaries and trend analyses, offering detailed insights into security events, traffic patterns, and threat activity.

• Alert packages that notify you about critical security and operational events, including admin login disable, anomaly detection, antivirus warnings, botnet activity, IPS events, malicious URL attacks, virus detection, VPN failures, and data leak protection. They enable faster incident response and help you maintain compliance with internal or regulatory security requirements.

• KB List (FORTIMAIL_SESSION) that contains relevant reference data for enrichment and correlation.

When FortiGate detects threats, malware, or malicious events with potential risk to your environment, it triggers security alerts based on predetermined alert rules, enabling early detection and corrective action.

Supported Events

• FortiGate versions:

  • FortiGate v4.x

  • FortiGate v5.x

  • FortiGate v6.x

  • Fortinet Fortigate Next-Generation Firewall (NGFW)

  • Unified Threat Management (UTM)

  • FortiMail

• FortiGate log types:

  • Traffic Events: Allow/deny actions, forward traffic, local traffic, multicast, broadcast, session start/end, connection attempts, explicit proxy, WAN optimization

  • Attack Events: IPS detections, anomaly detection, signature-based attacks, malicious URLs, intrusion attempts, vulnerability exploitation

  • Antivirus Events: Virus detection, malware scanning, botnet warnings, infected files, scan engine errors

  • Web Filter Events: URL filtering, category blocking, content filtering, banned words, script filtering, HTTPS inspection

  • Application Control Events: Application usage, IM blocking, SSH control, IPS integration

  • VPN Events: IPSec tunnels, SSL VPN, tunnel status, authentication, connection statistics

  • System Events: Configuration changes, admin login/logout, firmware updates, high availability, license expiration, daemon status

  • Email Security (FortiMail): Spam detection, virus-infected emails, email encryption, rejected emails, system monitoring

  • DNS Events: DNS queries, botnet domain blocking, URL filter DNS, resolution errors

  • DLP Events: Data leak detection, fingerprint matching, document source tracking

  • Authentication Events: User logon/logoff, FSSO events, RADIUS accounting, 802.1X authentication, disclaimer acceptance

  • Wireless Events: Access point management, rogue AP detection, client association, WTP status, WIDS alerts