Fortinet FortiGate Security Gateway

The IBM QRadar SIEM DSM for Fortinet FortiGate Security Gateway collects events from Fortinet FortiGate Security Gateway and Fortinet FortiAnalyzer products.

The following table identifies the specifications for the Fortinet FortiGate Security Gateway DSM:

Table 1. Fortinet FortiGate Security Gateway DSM specifications

Specification

Value

Manufacturer

Fortinet

DSM name

Fortinet FortiGate Security Gateway

RPM file name

DSM-FortinetFortiGate-QRadar_version-build_number.noarch.rpm

Supported versions

FortiOS 6.4 and earlier

Protocol

Syslog

Syslog Redirect

Recorded event types

All events

Auto discovered?

Yes

Includes identity?

Yes

Includes custom properties?

Yes

More information

Fortinet website (http://www.fortinet.com)

To integrate Fortinet FortiGate Security Gateway DSM with QRadar, complete the following steps:
  1. If automatic updates are not enabled, download the most recent version of the Fortinet FortiGate Security Gateway RPM from the IBM® Support Website onto your QRadar Console:
  2. Download and install the Syslog Redirect protocol RPM to collect events through Fortinet FortiAnalyzer. When you use the Syslog Redirect protocol, QRadar can identify the specific Fortinet FortiGate Security Gateway firewall that sent the event.
  3. For each instance of Fortinet FortiGate Security Gateway, configure your Fortinet FortiGate Security Gateway system to send syslog events to QRadar.
  4. If QRadar does not automatically detect the log source for Fortinet FortiGate Security Gateway, you can manually add the log source. For the protocol configuration type, select Syslog, and then configure the parameters.
  5. If you want QRadar to receive events from Fortinet FortiAnalyzer, manually add the log source. For the protocol configuration type, select Syslog Redirect, and then configure the parameters.
    The following table lists the specific parameter values that are required for Fortinet FortiAnalyzer event collection:
    Parameter Value
    Log Source Identifier Regex devname="?([\w-]+)
    Listen Port 517
    Protocol UDP
    For more information about configuring Syslog Redirect protocol parameters, see Syslog Redirect protocol overview.