Fortinet FortiGate NGFW Logs

Updated Aug 31, 2023

Configure Fortinet FortiGate NGFW to send logs to Arctic Wolf

You can configure Fortinet® FortiGate Next-Generation Firewall (NGFW) to send the necessary logs to Arctic Wolf for monitoring security information using either of these methods:

Requirements

Configure FortiGate NGFW log forwarding using the GUI

  1. Sign in to your FortiGate NGFW.

  2. Select Log & Report > Log Settings.

  3. Click the Global Settings tab, and then do the following:

    • Event Logging — Click All.
    • Local traffic logging — Click All.
    • Syslog logging — Turn on the toggle to enable log forwarding.
    • IP address/FQDN — Enter the IP address of your Arctic Wolf physical or virtual sensor.
  4. Click Apply.

  5. Contact your Concierge Security® Team to inform them that you have configured syslog forwarding, and to validate that the logs are being ingested appropriately. Include the following information:

    • Confirmation that you have completed the steps in this configuration guide.
    • The IP address you used during the configuration.
    • Any other questions or comments that you have.

Configure FortiGate NGFW log forwarding using the CLI

  1. Connect one end of your console cable to the console port on the FortiGate appliance and the other end to a serial communications (COM) port on your computer.

  2. Launch your SSH client with the following settings:

    • Serial line — Enter COM1.
    • SSpeed (baud) — Enter 9600.
    • SData bits — Enter 8.
    • SStop bits — Enter 1.
    • SParity — Select None.
    • SFlow control — Select None.
  3. Log in to the CLI as an administrator using your SSH client.

  4. Run the following command, where <sensor_ip> is the IP address of your Arctic Wolf physical or virtual sensor:

    config log syslogd setting
      set status enable
      set server <sensor_ip>
      set mode udp
      set port 514
      set format default
    end
  5. Contact your Concierge Security® Team to inform them that you have configured syslog forwarding, and to validate that the logs are being ingested appropriately. Include the following information:

    • Confirmation that you have completed the steps in this configuration guide.
    • The IP address you used during the configuration.
    • Any other questions or comments that you have.

See also