Microsoft Sentinel Content Hub: Fortigate

VirtualMetric Director provides comprehensive integration with Fortinet FortiGate firewalls and security appliances through specialized content packs for Microsoft Sentinel. These content packs enable seamless ingestion, normalization, and analysis of FortiGate security logs within your Sentinel environment.

Overview

FortiGate integration delivers advanced security monitoring capabilities by transforming Fortinet's proprietary log formats into Microsoft Sentinel-compatible schemas. The integration supports both syslog and FortiAnalyzer log formats, providing flexible deployment options for various network architectures.

Supported Fortinet Products

The integration supports the following Fortinet products:

• FortiGate Firewalls - Next-generation firewall appliances
• FortiWiFi - Wireless security appliances
• FortiCarrier - Service provider security solutions
• FortiGate VM - Virtual firewall instances
• FortiGate Cloud - Cloud-based security services

Data Collection Methods

Syslog Integration

FortiGate devices can send logs directly to Director via syslog:

devices:
  - id: 1
    name: fortigate_syslog
    type: syslog
    tags:
      - "fortigate"
      - "fortinet"
    pipelines:
      - fortigate
    properties:
      protocol: udp
      port: 514
      address: "0.0.0.0"

The fortigate pipeline automatically processes Fortinet's key-value log format, extracting security events and normalizing data for Sentinel consumption.

TCP Reliable Logging

For mission-critical environments requiring guaranteed log delivery:

devices:
  - id: 2
    name: fortigate_reliable
    type: tcp
    tags:
      - "fortigate"
      - "reliable"
    pipelines:
      - fortigate
    properties:
      protocol: tcp
      port: 1514
      max_connections: 1000
      timeout: 300

High-Performance Deployment

For high-throughput FortiGate deployments:

devices:
  - id: 3
    name: fortigate_enterprise
    type: syslog
    tags:
      - "fortigate"
      - "enterprise"
    pipelines:
      - fortigate
    properties:
      protocol: udp
      port: 514
      reuse: true
      workers: 6
      buffer_size: 65536
      batch_size: 10000
      flush_interval: 3

Content Pack Features

Security Event Categories

The FortiGate content pack processes multiple log types:

• Traffic Logs - Network sessions, bandwidth utilization, and connection tracking
• Threat Logs - IPS events, malware detection, and vulnerability exploits
• Web Filter Logs - URL filtering, category blocking, and web security events
• Application Control - Application usage, policy enforcement, and control actions
• Authentication Logs - VPN sessions, user authentication, and access control
• System Events - Configuration changes, system health, and administrative activities

FortiGate Log Format Processing

FortiGate uses a structured key-value format that the pipeline intelligently parses:

date=2024-01-15 time=10:30:45 devname="FGT-HQ-01" devid="FG100E3Q17002999" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1705315845123456789 srcip=192.168.1.100 srcport=1234 srcintf="internal" dstip=8.8.8.8 dstport=53 dstintf="wan1" policyid=1 policytype="policy" service="DNS" proto=17 action="accept" policyname="Allow_DNS" duration=0 sentbyte=64 rcvdbyte=128

ASIM Normalization

All FortiGate data is normalized to Advanced Security Information Model (ASIM) standards:

# Example ASIM-compliant output
{
  "TimeGenerated": "2024-01-15T10:30:45Z",
  "EventType": "NetworkSession", 
  "SrcIpAddr": "192.168.1.100",
  "DstIpAddr": "8.8.8.8",
  "SrcPortNumber": 1234,
  "DstPortNumber": 53,
  "NetworkProtocol": "UDP",
  "NetworkDirection": "Outbound",
  "DeviceVendor": "Fortinet",
  "DeviceProduct": "FortiGate",
  "EventSeverity": "Informational",
  "NetworkBytes": 192,
  "NetworkPackets": 2,
  "NetworkSessionId": "12345",
  "EventResult": "Success"
}

Advanced Field Mapping

The integration includes comprehensive field mapping for FortiGate-specific attributes:

• Policy Information - Policy ID, name, and enforcement actions
• Interface Details - Source and destination interface mapping
• Service Classification - Application and service identification
• Threat Intelligence - IPS signatures and malware classifications
• Performance Metrics - Bandwidth, latency, and session duration
• Geographic Data - IP geolocation and country mapping

Microsoft Sentinel Integration

Analytics Rules

Pre-configured analytics rules for FortiGate security scenarios:

• High-Volume Blocked Connections - Detects potential DDoS or scanning activities
• Suspicious Outbound Traffic - Identifies data exfiltration patterns
• VPN Brute Force Attacks - Monitors failed authentication attempts
• Malware Detection Events - Aggregates threat prevention alerts
• Policy Violation Trends - Tracks firewall rule effectiveness
• Anomalous Application Usage - Detects unusual application patterns

Workbooks

Interactive dashboards for FortiGate security monitoring:

• Network Traffic Overview - Real-time traffic analysis and trends
• Threat Landscape Dashboard - IPS and malware detection metrics
• VPN Access Monitoring - Remote access patterns and security
• Application Control Report - Application usage and policy compliance
• Geographic Threat Analysis - Location-based security insights
• Performance Metrics - Firewall performance and capacity planning

Hunting Queries

Advanced KQL queries for proactive threat hunting:

// Example: Detect FortiGate IPS events with high severity
CommonSecurityLog
| where DeviceVendor == "Fortinet"
| where DeviceProduct == "FortiGate"  
| where LogSeverity >= 6
| where DeviceEventClassID contains "IPS"
| where TimeGenerated > ago(24h)
| extend ThreatName = extract(@"attack=""([^""]+)""", 1, AdditionalExtensions)
| summarize EventCount=count(), UniqueSourceIPs=dcount(SourceIP) by ThreatName, DeviceAddress
| where EventCount > 5
| order by EventCount desc

Configuration Examples

Basic FortiGate Integration

devices:
  - id: 1
    name: fortigate_firewall
    type: syslog
    pipelines:
      - fortigate
    properties:
      port: 514

targets:
  - name: sentinel
    type: sentinel
    properties:
      tenant_id: "${AZURE_TENANT_ID}"
      client_id: "${AZURE_CLIENT_ID}"
      client_secret: "${AZURE_CLIENT_SECRET}"
      endpoint: "https://your-dce.monitor.azure.com"
      streams:
        - name: "Custom-CommonSecurityLog"
          rule_id: "dcr-fortigate-logs"

Multi-Device Environment

For organizations with multiple FortiGate devices:

devices:
  - id: 1
    name: fortigate_datacenter
    type: syslog
    tags: ["datacenter", "fortigate"]
    pipelines:
      - fortigate
    properties:
      port: 514
      address: "10.1.0.100"
      
  - id: 2
    name: fortigate_branch
    type: syslog  
    tags: ["branch", "fortigate"]
    pipelines:
      - fortigate
    properties:
      port: 515
      address: "10.2.0.100"

  - id: 3
    name: fortigate_dmz
    type: tcp
    tags: ["dmz", "fortigate"]
    pipelines:
      - fortigate
    properties:
      port: 1514
      address: "172.16.0.100"

Log Type Filtering

Configure specific log type collection:

devices:
  - id: 1
    name: fortigate_security_only
    type: syslog
    pipelines:
      - fortigate
      - filter_security_logs
    properties:
      port: 514

pipelines:
  - name: filter_security_logs
      processors:
        - remove:
            field: ["admin", "system"]
            ignore_missing: true
        - script:
            lang: golang
            source: |
              package main
              func main() {
                if logType, ok := logEntry["type"].(string); ok {
                  if logType != "traffic" && logType != "utm" && logType != "anomaly" {
                    // Skip non-security logs
                    logEntry = nil
                  }
                }
              }

FortiGate Configuration

Syslog Configuration

Configure FortiGate to send logs to Director:

# CLI Configuration
config log syslogd setting
    set status enable
    set server "192.168.1.100"
    set port 514
    set mode udp
    set facility local7
end

config log syslogd filter
    set severity information
    set forward-traffic enable
    set multicast-traffic enable
    set sniffer-traffic disable
    set anomaly enable
    set voip disable
end

Log Format Optimization

Configure structured logging for better parsing:

# Enable structured logging
config log setting
    set resolve-ip enable
    set resolve-port enable
    set log-user-in-upper disable
    set fwpolicy-implicit-log disable
    set fwpolicy6-implicit-log disable
    set log-invalid-packet disable
end

Troubleshooting

Common Issues

• Log Format Recognition:

  • Verify FortiGate syslog format matches expected key-value structure
  • Check for firmware version compatibility and log format changes
  • Ensure UTC timestamp configuration for accurate correlation

• Performance Issues:

  • Monitor CPU and memory usage during high traffic periods
  • Adjust buffer sizes and worker processes for throughput optimization
  • Consider log filtering at FortiGate level to reduce volume

• Field Extraction Problems:

  • Review pipeline configuration for custom FortiGate fields
  • Test with sample logs to validate field mapping accuracy
  • Check for firmware-specific field name variations

Diagnostic Commands

• Verify Log Reception

  # Check if logs are being received
  tail -f /var/log/director/fortigate.log | grep "type=traffic"

• Test Pipeline Processing

  # Enable verbose logging for troubleshooting
  debug:
    enabled: true
    level: "debug"
    pipelines: ["fortigate"]
    include_processing_time: true

• Validate Sentinel Integration

  // Query Sentinel to verify FortiGate data ingestion
  CommonSecurityLog
  | where DeviceVendor == "Fortinet"
  | where DeviceProduct == "FortiGate"
  | where TimeGenerated > ago(5m)
  | project TimeGenerated, SourceIP, DestinationIP, DeviceAction, Message
  | limit 10

Performance Optimization

High-Volume Best Practices

• Network Configuration:

  • Use dedicated network interfaces for log collection
  • Implement load balancing across multiple Director instances
  • Configure appropriate MTU sizes for log packet optimization

• FortiGate Tuning:

  # Optimize logging performance
  config system global
      set log-ssl-connection disable
      set log-uuid-policy disable
  end
  
  # Configure log buffering
  config log memory setting
      set diskfull overwrite
  end

• Director Optimization

  # High-performance configuration
  devices:
    - id: 1
      name: fortigate_optimized
      type: udp
      pipelines:
        - fortigate
      properties:
        port: 514
        workers: 8
        buffer_size: 131072
        batch_size: 15000
        queue:
          interval: 1

Security Considerations

Access Control

• Restrict Director access to authorized network segments
• Implement firewall rules for log source validation
• Use dedicated service accounts for Sentinel integration

Data Protection

• Enable TLS encryption for sensitive log transmission
• Implement log anonymization for privacy compliance
• Configure appropriate data retention policies

Monitoring and Alerting

• Monitor log ingestion rates and processing latencies
• Set up alerts for log collection failures or anomalies
• Implement health checks for Director service availability

Support Resources

For additional assistance with FortiGate integration:

• VirtualMetric Support - Technical support for Director and pipeline configuration
• Fortinet Documentation - Vendor-specific logging configuration guides
• Microsoft Sentinel Community - Best practices and troubleshooting resources
• ASIM Schema Reference - Field mapping and normalization guidelines
• FortiGate CLI Reference - Command-line configuration examples