Assistance with Integrating an External FortiGate with Wazuh
39 views
Skip to first unread message
Syrine ZOUARI
Mar 18, 2025, 10:07:08 AM3/18/25
to wa...@googlegroups.com
I am looking to integrate an external client's Firewall, which is a FortiGate, with Wazuh. My current Wazuh version is 4.8.2.
Could you assist me with this use case?
Thank you in advance for your support.
Best regards,
Syrine ZOUARI
MIC PIN
Mar 18, 2025, 10:26:19 AM3/18/25
to Wazuh | Mailing List
Hi Syrine,
you should use syslog capabilities. On FortiGate just enable external syslog server (https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-multiple-Syslog-servers/ta-p/194117) and point to Wazuh instance.
In Wazuh etc/ossec.conf add or change those lines according to your configuration:
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>[IP whitelist]</allowed-ips>
</remote>
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>[IP whitelist]</allowed-ips>
</remote>
then check to have decoders and rules to intercept correctly Fortigate events, like https://github.com/alextibor/wazuh-fortigate-rules-decoders
That's all.
Michele
Olamilekan Abdullateef Ajani
Mar 18, 2025, 11:45:21 AM3/18/25
to Wazuh | Mailing List
Hello
Syrine,
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
I would advice you leverage rsyslog to capture logs from fortigate firewall, and then install an agent on the rsyslog server to capture read the logs received from the fortigate appliance and forward it to Wazuh server for decoding.
Once you forward the fortigate log to the rsyslog server you can configure the agent localfile to read the file which the logs are written to with the example below:
Once you forward the fortigate log to the rsyslog server you can configure the agent localfile to read the file which the logs are written to with the example below:
<localfile>
<log_format>syslog</log_format>
<location>/var/log/<fortigate.log></location>
</localfile>
Once this is done, you can be rest assured the logs will be present on the wazuh server as wazuh has an in-built decoder for fortigate appliance.
The other option is the remote configuration where you forward the logs directly to the wazuh server, after configuring syslog on the fortigate appliance and set the wazuh server and the syslog server, you need to configure the Wazuh server to expect traffic from the fortigate appliance with the sample below:
<log_format>syslog</log_format>
<location>/var/log/<fortigate.log></location>
</localfile>
Once this is done, you can be rest assured the logs will be present on the wazuh server as wazuh has an in-built decoder for fortigate appliance.
The other option is the remote configuration where you forward the logs directly to the wazuh server, after configuring syslog on the fortigate appliance and set the wazuh server and the syslog server, you need to configure the Wazuh server to expect traffic from the fortigate appliance with the sample below:
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>Y.Y.Y.Y/24</allowed-ips>
<local_ip>X.X.X.X</local_ip>
</remote>
<local_ip>X.X.X.X</local_ip>
</remote>
port: depends on the syslog port being used, can be customized.
protocol: UDP/TCP (has to be the same on both ends)
allowed-ips: the ip address of the fortigate appliance
local_ip: the ip address of the wazuh instance.
Ref:
Reply all
Reply to author
Forward
0 new messages