Configure the FortiGate Firewall’s log push to Splunk!

In this article we will configure Forwarding logs from a Fortinet firewall to Splunk centralizes security data, enabling advanced analysis, streamlining compliance reporting, and automating security monitoring for a more comprehensive understanding of network activity and improved threat detection.

Step 1: Access FortiGate’s GUI > Log & Report > Log Settings:

Step 2: enable the Send logs to syslog feature

Scroll down to the Remote Logging and Archiving section, and enter the IP address of Splunk LB used to collect logs and select Apply to save the configuration:

In case if Splunk is used to collect logs on another port, we need to configure specifically using the CLI, access FortiGate’s CLI and use the following command to configure:

config log syslogd setting
    set status enable
    set server "<IP Splunk>"
    set port <number port>
    set source-ip "<IP Interface FortiGate>"
end

Step 3: To configure the push log on Policy

I. Go to Policy & Objects > IPv4 Policy

ii. select the Policy you want to push the log and select Edit

Step 4: With Policy ACCEPT, you enable the Log Allowed Traffic feature > All Sessions.

As for DENY Policies, you enable the Log Violation Traffic feature, select OK to save the configuration.

Step 4: Access Splunk, search to check if the log has been pushed back or not:

Now we will see logs related to FortiGate policy for which we have configured log forwarding.

Conclusion:

Splunk is centrallized log management tool which may collect different logs from different devices which may helpful in timely threat detection and response to maintain good IT infrastructure hygiene.