FortiGate Firewall - Syslog Configuration for Log Integration & Security Configuration Recommendations Introduction Introduction The FortiGate integration enables to monitor your Fortinet FortiGate firewall for security threats, traffic analysis, and compliance reporting. Currently, we are not receiving logs from your firewall. This guide will help you configure syslog to send logs to our monitoring system. Step 1: Log in to your Fortinet FortiGate Admin Portal and Navigate to CLI Console Log in to your FortiGate web interface and access the CLI Console. Please refer to the images below. Open your web browser and go to: https://[your-firewall-ip-address] Click on your username in the top-right corner Select CLI Console from the dropdown menu Step 2: Required Information for Integration To configure FortiGate to send logs to your syslog server, we need the following information from you: Provide: FortiGate Source IP (Management IP): ___________________________ Log Collector IP (Where FortiGate sends logs to): ___________________________ FortiGate Model: ___________________________ Firmware Version: ___________________________ To get the FortiGate information, run these commands in CLI: get system status get system interface physical Step 3: Execute Configuration Commands Execute these commands on the CLI Console: For Syslog Setting: config log syslogd setting set status enable set server
set facility user set source-ip set port 10514 set mode tcp set format default end What each setting does: set status enable = Turns on syslog functionality set server = IP address of your log collector (where FortiGate sends logs to) set facility user = Categories logs as "user" type set source-ip = FortiGate's management IP address set port 10514 = Destination port for log transmission set mode tcp = Uses TCP protocol (reliable delivery, no packet loss) set format default = Uses standard syslog format (compatible with Elastic integration) Example with actual values: config log syslogd setting set status enable set server 192.168.10.50 set facility user set source-ip 192.168.1.99 set port 10514 set mode tcp set format default end Note: Use own log collector IP for set server Use FortiGate management IP for set source-ip We recommend using port 10514 if port 514 is already in use For Syslog Filter: config log syslogd filter set anomaly enable set forward-traffic enable set local-traffic enable set multicast-traffic disable set netscan-discovery enable set netscan-vulnerability enable set severity warning set sniffer-traffic enable set voip disable set ztna-traffic enable end This configuration enables logging for: Anomaly events – Unusual network behavior Forward traffic – Traffic passing through the firewall Local traffic – Traffic to/from the firewall itself Network scanning – Port scans and vulnerability scans Sniffer traffic – Packet capture events ZTNA traffic – Zero Trust Network Access events Step 4: Network Firewall Configuration Requirements IMPORTANT: Please ensure the following network connectivity is allowed: On your FortiGate device: Allow OUTBOUND traffic from FortiGate to your log collector Port: 10514 Protocol: TCP On your Log Collector server: Allow INBOUND traffic from FortiGate Port: 10514 Protocol: TCP Network Path: Ensure no firewall or network device between your FortiGate is blocking TCP port 10514 Verify your FortiGate can reach the log collector IP address Step 5: Verify Configuration After executing the commands, verify the configuration by running: To verify Syslog Setting: show log syslogd setting Expected output should show: status: enable server: port: 10514 mode: tcp format: default To verify Syslog Filter: show log syslogd filter Step 6: Test Connectivity and Log Transmission Test 1: Verify network connectivity to your log collector execute ping This should return successful ping responses. Test 2: Send a test log message execute log test This command sends a test syslog message to your log collector to verify the configuration is working. Step 7: Enable Logging on Firewall Policies For us to receive traffic logs, logging must be enabled on your firewall policies. GUI Method: Navigate to: Policy & Objects → Firewall Policy For each policy, click to edit Scroll to Logging Options Set Log Allowed Traffic to: All Sessions Click OK CLI Method (to check current status): show firewall policy | grep logtraffic CLI Method (to enable logging on a specific policy): config firewall policy edit set logtraffic all next end Verification and Information Needed To help us verify the integration is working correctly, we would appreciate if you could provide the following: Configuration Verification (Screenshots would be helpful): ☐ Output of: show log syslogd setting ☐ Output of: show log syslogd filter ☐ Output of: get system status Network Connectivity Test: Please test connectivity to your log collector by running: execute ping This helps us confirm there are no network issues between your firewall and log collector. Information for Our Integration Setup: To complete the integration on our end, please provide: FortiGate Source IP: ___________________________ Log Collector IP: ___________________________ FortiGate Model: ___________________________ Firmware Version: ___________________________ Port Number: 10514 Protocol: TCP Optional (but helpful for troubleshooting): Is there any firewall or network device between your FortiGate and log collector? Yes / No Did the ping test succeed? Yes / No What Needs for Integration After completing the configuration and provide the screenshots above, kindly provide us: Network Information: FortiGate Source IP (Your FortiGate management IP): ___________________________ Log Collector IP (Your log collector server IP): ___________________________ Port Number : 10514 Protocol : TCP Troubleshooting Common Issues Issue 1: Cannot ping log collector Possible causes: Network firewall blocking traffic Incorrect routing Log collector server is down Solution: # Check your default route get router info routing-table all # Verify interface is up get system interface physical Issue 2: Test log command shows no output Solution: # Verify syslog is enabled show log syslogd setting | grep status # Check if server IP is correct show log syslogd setting | grep server Issue 3: Configuration not saving Solution: Ensure you typed end after each config block Verify no syntax errors in commands Check you have admin permissions Reference Documentation Links Source Link for Full Documentation Manual: https://docs.cytechint.io/books/system-integrations/page/fortinet-fortigate-syslog-setting-and-syslog-filter Source Link Documentation for Syslog Setting: https://docs.fortinet.com/document/fortigate/6.4.4/cli-reference/444620/config-log-syslogd-setting Source Link Documentation for Syslog Filter: https://docs.fortinet.com/document/fortigate/7.0.9/cli-reference/456620/config-log-syslogd-filter https://help.fortinet.com/fgt/handbook/cli52_html/index.html#page/FortiOS%205.2%20CLI/config_log.16.17.html Source Link to Better Understand Log Priority Level: https://help.fortinet.com/fweb/551/log/Content/FortiWeb/fortiweb-log/Priority_level.htm     FortiGate Firewall - Security Configuration Recommendations Introduction This document provides security recommendations for your Fortinet FortiGate firewall to strengthen network security, improve policy management, and optimize firewall configuration based on industry standards. 1. Enable Security Profiles on Firewall Policies Risk: Without security profiles, viruses, malware, exploits, and malicious websites can pass through your firewall undetected. Required Profiles for Internet-Bound Policies (LAN → WAN): ☑ Antivirus (AV) - Blocks viruses, malware, ransomware ☑ Web Filter - Blocks malicious and phishing websites ☑ Application Control - Controls which applications can be used ☑ IPS (Intrusion Prevention) - Blocks hacking attempts and exploits Configuration Steps: Navigate to Policy & Objects → Firewall Policy Click on policy allowing internet access Scroll to Security Profiles section Enable profiles: Antivirus: default Web Filter: default Application Control: default IPS: protect_client Click OK 2. Review and Optimize Firewall Policies A) Remove Unused Policies Navigate to Policy & Objects → Firewall Policy Check Hit Count column (0 hits for 30+ days = unused) Verify with department owners before deleting Delete unused policies B) Eliminate "Any-Any" Policies Dangerous policies have: Source: all Destination: all Service: ALL Action: Replace with specific rules defining exact sources, destinations, and services. C) Implement Naming Convention Format: [SOURCE]-[DESTINATION]-[SERVICE]-[DESCRIPTION] Examples: LAN-WAN-HTTPS-Employee_Internet_Access LAN-DMZ-HTTP-Access_to_WebServer Branch1-HQ-ALL-Site_to_Site_VPN 3. Configure Address Objects A) Create Named Objects for Servers Naming Format: [TYPE]_[LOCATION]_[PURPOSE] Examples: SVR_DMZ_WebServer01 SVR_HQ_DatabaseServer NET_Branch1_LAN HOST_Finance_Workstation Steps: Navigate to Policy & Objects → Addresses Click Create New → Address Configure: Name: SVR_DMZ_WebServer01 Type: IP/Netmask Subnet/IP: 10.10.10.50/32 Comment: "Production web server" Click OK B) Create Address Groups Example: Group: GRP_Web_Servers Members: - SVR_DMZ_WebServer01 - SVR_DMZ_WebServer02 - SVR_DMZ_WebServer03 Benefit: One policy can manage multiple servers. C) Geographic Blocking (Optional) Block traffic from high-risk countries: Navigate to Policy & Objects → Addresses Create New → Address Type: Geography Select countries to block Create deny policy using this object 4. Optimize Service Objects A) Create Custom Services Naming Format: [PROTOCOL]_[PURPOSE]_[PORT] Examples: TCP_Custom_App_8080 TCP_Database_MySQL_3306 TCP_Web_Application_8443 B) Create Service Groups Example: Web Services GRP_Web_Services: - HTTP (80) - HTTPS (443) - HTTP-ALT (8080) Example: Email Services GRP_Email_Services: - SMTP (25) - SMTPS (465) - IMAPS (993) - POP3S (995) C) Phase Out Insecure Protocols Replace: Telnet → SSH FTP → SFTP/FTPS HTTP → HTTPS SNMPv1/v2 → SNMPv3 5. Configure NAT Policies Source NAT (Outbound Internet) Verify NAT is enabled on internet access policies: Go to Policy & Objects → Firewall Policy Click internet access policy (LAN → WAN) NAT section: ☑ NAT: Enable☑ Use Outgoing Interface Address Destination NAT (Inbound Services) For published services (web, email servers): Name: VIP_External_WebServerExternal IP: Mapped IP: Port Forwarding: EnableProtocol: TCP Navigate to Policy & Objects → Virtual IPs Create New → Virtual IP Configure: Always enable security profiles (AV, IPS) on VIP policies 6. Secure VPN Configuration SSL VPN (Remote Access) Navigate to: VPN → SSL-VPN Settings Security Settings: ☑ Two-Factor Authentication: Enable Method: FortiToken, Email, or SMS Login Attempt Limit: 5 Lockout Duration: 30 minutes Session Timeout: 12 hours Idle Timeout: 30 minutes ☐ Split Tunneling: Disable (force all traffic through VPN) IPsec VPN (Site-to-Site) Navigate to: VPN → IPsec Tunnels Strong Encryption: Phase 1 (IKE): - Encryption: AES256-GCM - Authentication: SHA256 - DH Group: 14 or higher Phase 2 (IPsec): - Encryption: AES256-GCM - Authentication: SHA256 - PFS: Enable (Group 14) ☑ Dead Peer Detection: Enable Interval: 10 seconds 7. Administrator Security A) Enable Two-Factor Authentication Navigate to System → Administrators Click administrator account Enable Two-Factor Authentication: ☑ Enable Two-Factor AuthenticationMethod: FortiToken (recommended) or Email Click OK B) Restrict Trusted Hosts Only allow admin login from specific IPs: Trusted Host 1: 10.10.10.0/24 (IT subnet) Trusted Host 2: 172.16.5.100/32 (VPN gateway) C) Disable WAN Management Navigate to System → Settings WAN Interface: ☐ HTTPS: Disable ☐ HTTP: Disable ☐ SSH: Disable 8. Configure Regular Backups Manual Backup Click username (top-right) Configuration → Backup Choose Local PC Save as: FortiGate_[Model]_[Date].conf Backup Schedule Daily: Automated Before changes: Always Weekly: Manual verification Monthly: Offsite storage Retention: - Daily: 7 days - Weekly: 30 days - Monthly: 1 year Storage Locations Primary: Local computer Secondary: Network file server Tertiary: Cloud storage (encrypted) Emergency: USB drive (offsite) 9. Enable FortiGuard Services Check License Status Navigate to System → FortiGuard Verify active licenses: ☑ Antivirus☑ IPS (Intrusion Prevention)☑ Web Filtering☑ Application Control Check expiration dates (renew 30 days before) Configure Auto-Updates ☑ Automatic Updates: Enable Update Schedule: Daily Push Update: Enable 10. Configure NTP (Time Synchronization) Why Critical Accurate timestamps required for: Log correlation Certificate validation Compliance Configuration Navigate to System → Settings System Time section: ☑ Enable NTPSync with: FortiGuard NTP ServersTime Zone: Verify NTP CLI command: diagnose sys ntp status Expected: synchronized: yes Summary Checklist Security Profiles: ☐ AV, Web Filter, App Control, IPS enabled Policy Management: ☐ Unused policies removed ☐ "Any-any" policies replaced ☐ Naming convention implemented Objects: ☐ Address objects for servers ☐ Address groups created ☐ Service objects organized NAT: ☐ Source NAT configured ☐ Destination NAT secured VPN: ☐ 2FA enabled ☐ Strong encryption ☐ Session timeouts set Admin Security: ☐ 2FA for admins ☐ Trusted hosts configured ☐ WAN management disabled Maintenance: ☐ Backup procedure ☐ FortiGuard licenses valid ☐ NTP working Reference Links FortiGate Best Practices: https://docs.fortinet.com/document/fortigate/7.4.0/best-practices Administration Guide: https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/ FortiGuard Services: https://www.fortiguard.com/