Configure Fortinet FortiGate NGFW to send logs to Arctic Wolf

You can configure Fortinet® FortiGate Next-Generation Firewall (NGFW) to send the necessary logs to Arctic Wolf for monitoring security information using either of these methods:

• GUI — See Configure FortiGate® NGFW log forwarding using the GUI.
• CLI — See Configure FortiGate® NGFW log forwarding using the CLI.

Requirements

• Activated Arctic Wolf Sensor

Configure FortiGate NGFW log forwarding using the GUI

1. Sign in to your FortiGate NGFW.

2. Select Log & Report > Log Settings.

3. Click the Global Settings tab, and then do the following:

   • Event Logging — Click All.
   • Local traffic logging — Click All.
   • Syslog logging — Turn on the toggle to enable log forwarding.
   • IP address/FQDN — Enter the IP address of your Arctic Wolf physical or virtual sensor.

4. Click Apply.

5. Contact your Concierge Security® Team to inform them that you have configured syslog forwarding, and to validate that the logs are being ingested appropriately. Include the following information:

   • Confirmation that you have completed the steps in this configuration guide.
   • The IP address you used during the configuration.
   • Any other questions or comments that you have.

Configure FortiGate NGFW log forwarding using the CLI

1. Connect one end of your console cable to the console port on the FortiGate appliance and the other end to a serial communications (COM) port on your computer.

2. Launch your SSH client with the following settings:

   • Serial line — Enter COM1.
   • SSpeed (baud) — Enter 9600.
   • SData bits — Enter 8.
   • SStop bits — Enter 1.
   • SParity — Select None.
   • SFlow control — Select None.

3. Log in to the CLI as an administrator using your SSH client.

4. Run the following command, where <sensor_ip> is the IP address of your Arctic Wolf physical or virtual sensor:

   config log syslogd setting
     set status enable
     set server <sensor_ip>
     set mode udp
     set port 514
     set format default
   end

5. Contact your Concierge Security® Team to inform them that you have configured syslog forwarding, and to validate that the logs are being ingested appropriately. Include the following information:

   • Confirmation that you have completed the steps in this configuration guide.
   • The IP address you used during the configuration.
   • Any other questions or comments that you have.

See also

• Fortinet — Configuring syslog settings
• Fortinet — Administration Guide | Log settings and targets
• Fortinet — Administration Guide | Syslog Server
• Fortinet — CLI Reference | log {syslogd | syslogd2 | syslogd3 | syslogd4} setting
• Fortinet — CLI Reference | syslog