Configure Fortinet FortiGate NGFW log forwarding using the CLI

You can configure Fortinet® FortiGate® Next-Generation Firewall (NGFW) to send the necessary logs to Arctic Wolf® for security monitoring using the command line interface (CLI).

These resources are required:

  • An activated Arctic Wolf Sensor or Virtual Log Collector (vLC)
  • An SSH client (for example, PuTTY)
  • A console cable

Launch your SSH client

  1. Connect one end of your console cable to the console port on the FortiGate appliance.
  2. Connect the other end of your console cable to a serial communications (COM) port on your computer.
  3. In your SSH client, configure these settings:
    • Serial line — Enter COM1.
    • Speed (baud) — Enter 9600.
    • Data bits — Enter 8.
    • Stop bits — Enter 1.
    • Parity — Select None.
    • Flow control — Select None.
  4. Sign in to the CLI with administrator permissions using your SSH client.
  5. Run this command:
    BASH 
    config log syslogd setting
  set status enable
  set server <sensor_ip>
  set mode udp
  set port 514
  set format default
end

    Where:

    • sensor_ip is the IP address of your Arctic Wolf physical or virtual sensor.
    Note: Make sure to set the format to default. The CEF format is unsupported and causes parsing issues during Fortinet log ingestion.

Provide configuration information to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Tickets & Alerts > All Tickets.
  3. Perform the appropriate action, depending on if you are:
    • A new customer — In the Ticket Type list, select Onboarding. Then, click the existing [Deploy] Site Config: <ticket_subject> ticket.
    • An existing customer — Click Open a New Ticket.
  4. On the Open a New Ticket page, configure these settings:
    • What is this ticket related to? — Select General request.
    • Subject — Enter Syslog changes.
    • Related ticket (optional) — Keep empty.
    • Message — Enter this information for your Concierge Security® Team (CST):
      • Confirmation that you completed the steps in this configuration guide.
      • The IP address or hostname of the Arctic Wolf Sensor that you used during the configuration.
      • The IP address, timezone, and device type for all sources that you are forwarding.
      • Questions or comments that you have.
  5. Click Send Message.

    Your CST reviews the details to make sure that Arctic Wolf is successfully processing the logs.