Overview

Fortinet Firewall is a network appliance by Fortinet which enhances various network security capabilities.

Integrating your Fortinet/Fortigate logs into Hunters will allow ingestion of the logs, as well as detection and advanced investigation and correlation over these logs.

Supported Data Types

  • Fortinet Firewall - Network information logs by Fortinet (see more details here). For details on specific events logged see here.

Hunters Integration

In order to integrate your Fortinet logs into Hunters, the logs need to be collected from your network to a Storage Service (e.g. to an S3 bucket or Azure Blob Storage) shared with Hunters. See here for more details for Fortinet’s side.

The expected format of the logs is the key value format as exported by Fortinet. For example:

Fortinet Firewall Log Sample

date=2017-11-15 time=11:44:16 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1510775056 srcip=10.1.100.155 srcname="pc1" srcport=40772 srcintf="port12" srcintfrole="undefined" dstip=35.197.51.42 dstname="fortiguard.com " dstport=443 dstintf="port11" dstintfrole="undefined" poluuid="707a0d88-c972-51e7-bbc7-4d421660557b" sessionid=8058 proto=6 action="close" policyid=1 policytype="policy" policymode="learn" service="HTTPS" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=40772 appid=40568 app="HTTPS.BROWSER" appcat="Web.Client" apprisk="medium" duration=2 sentbyte=1850 rcvdbyte=39898 sentpkt=25 rcvdpkt=37 utmaction="allow" countapp=1 devtype="Linux PC" osname="Linux" mastersrcmac="a2:e9:00:ec:40:01" srcmac="a2:e9:00:ec:40:01" srcserver=0 utmref=0-220586