Firewall integration with wazuh

[Zarak Ali]

can anyone there for help to integrate Fortinet firewall on wazuh plz help me

[Jorge Alberto Marino]

Hello, Zarak Ali,

I' ll be taking a look at this and will answer as soon as possible with further instructions to integrate it.

Regards,

Jorge Marino.

[Jorge Alberto Marino]

Hello Zarak Ali,

First of all we would need to know what versions of the components you are trying to integrate.

• Fortinet / Firewall Version

• Wazuh Version and OS.

Nevertheless, there is a general procedure or background you can follow to achieve this. If this does not work after your attempt, please share the info mentioned above and any other problem you encounter.

In order to integrate Fortinet's Firewall (FortiGate) to Wazuh you need to cover two aspects of the requirement.

1. Connection : Make FortiGate to forward logs to Wazuh.

2. Analysis.

Aspect I : Connection

Wazuh can receive logs from external tools through syslog.

The general idea is described here in the Wazuh documentation : remote-syslog

You can receive syslog events in two ways:

• directly as syslog events forwarded by the source to a ip and port. (preferred and simplest way)

• storing the logs in a plain file and monitoring that file. (maybe through a custom syslog server that writes plaintext files, would require more extra work)

If you want to receive syslog events directly you need to configure Wazuh to receive syslog logs in a given port from an allowed-ip (ip here is where Fortigate is sending logs from).

Syslog Events Example: (ossec.conf)

<ossec_config>
<remote>
  <connection>syslog</connection>
  <port>513</port>
  <protocol>tcp</protocol>
  <allowed-ips>192.168.2.0/24</allowed-ips>
</remote>
</ossec_config>

On the other hand if you manage to get Fortigate to relay syslog events to a syslog server that writes events to a plaintext file accessible by the Wazuh host, you need to setup file monitor of that file. syslog-file

Syslog File Monitoring Example: (how to monitor a file containing syslog events)

<localfile>
<log_format>syslog</log_format>
<location>/custom/file/path</location>
</localfile>

Configure FortiGate

On the Fortigate's end, you need to enable it to forward Syslog events in the Logs Settings. (There is an online resource [external to Wazuh or official] that describes this process for FortiGate 60E Version 7.0.2, please have in mind any difference against your environment, this is just a guide that might help you).

https://network-knowledge.work/fortigate-syslog/

There you can setup the IP Address of the Wazuh Host that will receive and analyze these logs. (Remember that these instructions might differ from your current environment).

Remember that here you can setup your own syslog server as a relay that can store the events into a plaintext file that is accessible by the Wazuh Manager.

Note: If you have FortiAnalyzer already Setup, you can configure it to forward syslog events. Instructions

Aspect II : Analysis of FortiGate Logs

Wazuh comes ready with decoders and rules for processing Fortigate logs, so that is all you should need to do to start processing your logs. (independently of where these logs come from).

In order to process the Fortinet event logs properly the Wazuh manager contains a Ruleset of decoders and rules and it includes Fortinet decoders and rules. Please check: https://github.com/wazuh/wazuh/blob/v4.4.5/ruleset/decoders/0100-fortigate_decoders.xml

https://github.com/wazuh/wazuh/blob/v4.4.5/ruleset/rules/0391-fortigate_rules.xml

If any log is not properly recognized or any alert is not triggered, you could also create custom rules and decoders : https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

I hope this info successfully leads you to integrate FortiGate to Wazuh and get the big picture of a common remote syslog integration to Wazuh.

The goals of this integration are:

1. Setup FortiGate to forward syslog events to Wazuh.

2. Setup Wazuh to receive and monitor these remove events, through direct syslog events or a plaintext file accessible by the Manager.

Let's please keep in touch with any update on this or any other thing you might encounter during the process.

Kindest regards,

Jorge.

[Zarak Ali]

sir i already did all this but did not getting my firewall event other than one as I have multiple firewalls to integrate but I cant be able to get their event If u can help me on remote if any possibility so it would be good too

[Zarak Ali]

wazuh agent and manger all are latest 4.4.1 i think and firewall is in custody of administrator but I think all are up to date tool as I add one firewal its successfully work but remaining not worked but I did not find the route cause that why need help

[Jorge Alberto Marino]

Hello,

To check if remote events are reaching the manager, you can enable the LOG ALL FEATURE . Even if they do not trigger any rule.

To do this, you must configure the manager ossec.conf and add these :

<ossec_config>
  <global>
     <alerts_log>yes</alerts_log>
     <logall>yes</logall>
     <logall_json>yes</logall_json>
  </global>

After restarting the manager, you can check these files to verify incoming events from the remote hosts forwarding syslog events.
/var/ossec/logs/archives/archives.log
/var/ossec/logs/archives/archives.json

If you don´t see any event there coming from the desired host, it is a misconfiguration issue, on the firewall agent export or the manager collecting capabilities config.

Could you please verify that?

Also please share the ossec.conf section regarding the localfile or remote syslogs entries.

Thank you.

[Zarak Ali]

Are You there?

[Zarak Ali]

Hi team can u please tell how to  enabling the LOG ALL feature to check if there were actual events arriving. and then how to check firewall log are reaching on wazuh server as I m new on wazuh..please guide