Overview

Details

Fortinet FortiGate Add-On for Splunk is the technical add-on (TA) developed by Fortinet, Inc. The add-on enables Splunk Enterprise to ingest or map security and traffic data collected from FortiGate physical and virtual appliances across domains. The key features include:

• Streamlining authentication and access from FortiGate such as administrator login, user login, VPN termination authentication into to Splunk Enterprise Security Access Center

• Mapping FortiGate virus report into Splunk Enterprise Security Endpoint Malware Center

• Ingesting traffic logs, IPS logs, system configuration logs and Web filtering data etc.

Fortinet FortiGate Add-On for Splunk provides common information model (CIM) knowledge, advanced “saved search”, indexers and macros to use with other Splunk Enterprise apps such as Splunk App for Enterprise Security.

The compatible FOS version is 5.0 and later.

Fortinet FortiGate Add-on for Splunk

Next Generation and Datacenter Firewalls

Overview

• Streamlining authentication and access from FortiGate such as administrator login, user login, VPN termination authentication into to Splunk Enterprise Security Access Center

• Mapping FortiGate virus report into Splunk Enterprise Security Endpoint Malware Center

• Ingesting traffic logs, IPS logs, system configuration logs and Web filtering data etc.

Fortinet FortiGate Add-On for Splunk provides common information model (CIM) knowledge, advanced “saved search”, indexers and macros to use with other Splunk Enterprise apps such as Splunk App for Enterprise Security.

Dependencies

If used with apps that are based on CIM, Splunk Common Information Model Add-on will need to be installed.

Please make sure FortiGate FOS version is 5.0 or later.

Configuration Steps

Install Fortinet FortiGate Add-on for Splunk on search head, indexer, forwarder or single instance Splunk server:

Note: There is a 3rd party add-on for Fortinet named Fortinet Fortigate with FortiOS 5 Add-On with folder name TA-fortinet, which has conflict with Fortinet FortiGate Add-on for Splunk, so you need to disable the 3rd party add-on before you proceed.

There are three ways to install the add-on:

Install from Splunk web UI: Manage Apps->Browse more apps->Search keyword “Fortinet” and find the add-on with Fortinet logo->Click “Install free” button->Click restart splunk service.
Install from file on Splunk web UI: Manage Apps->Install from file->Upload the .tgz file which is downloaded from https://splunkbase.splunk.com/apps ->check the upgrade box-> click restart splunk service.
Install from file on Splunk server CLI interface: Extract the .tgz file->Place the Splunk_TA_fortinet_fortigate folder under $SPLUNK_HOME/etc/apps-> Restart Splunk service.

Add data input on Splunk server:

Note: From version 1.2, the Splunk TA(Add-on) for fortigate no longer match wildcard source or sourcetype to extract fortigate log data, a default sourcetype fortigate_log is specified in default/props.conf instead, please follow the instruction below to configure your input and props.conf for the App and TA(Add-on).

Through Splunk Web UI:
Settings->Data Input->UDP
Port: 514 (Example, can be modified according to your own plan)
leave other parameters as is.

Note: the UDP port, 514 in this example should be opened in firewall for logs to pass through. If you choose TCP input and on FortiGate use "reliable"(tcp) mode for syslog setting, you will need to add the following in local/props.conf because tcp tranported syslog will have xxx <yyy> header as line indicator.(8514 below is an example of TCP port, you can choose your own. There is no timestamp header like UDP so you can specify the timestamp field in the fortigate log, in our case the precision is in nanoseconds so the time format is %s%9N. If your FOS version has time stamp in different precision, refer to: https://docs.splunk.com/Documentation/Splunk/8.1.1/SearchReference/Commontimeformatvariables)

[source::tcp:8514]
SHOULD_LINEMERGE = false
LINE_BREAKER = (\d{2,3}\s+<\d{2,3}>)
TIME_PREFIX = eventtime=
TIME_FORMAT = %s%9N

If you are forwarding FortiGate logs from Fortianalyzer, please make sure you set the format to syslog instead of the default CEF format.

Fortinet FortiGate Add-On for Splunk will by default automatically extract FortiGate log data from inputs with sourcetype 'fortigate_log'.
If you want to configure it to extract a self-defined sourcetype, copy the props.conf
in $SPLUNK_HOME/etc/apps/Splunk_TA_fortinet_fortigate/default/props.conf to
$SPLUNK_HOME/etc/apps/Splunk_TA_fortinet_fortigate/local/props.conf and change the source stanza.

replace [fortigate_log] with [fortigate], for instance.

Restart Splunk service for the change to take effect.

Verify the Add-on in Enterprise Security App

Available dashboards in Enterprise Security App supported by Fortinet Fortigate Add-on for Splunk.

Security Domain->Access->Access Center
Security Domain->Endpoint->Malware Center
Security Domain->Network->Traffic Center
Security Domain->Network->Intrusion Center
Security Domain->Network->Web Center
Security Domain->Network->Network Changes
Security Domain->Network->Port & Protocol Tracker
Security Domain->Identity->Session Center

Please note in FOS 5.6 version, the type field includes "", so in order for the fortigate logs to be recognized, please upgrade this add-on to 1.5 version.

For more information on the App support, email splunk_app@fortinet.com.

Release Notes

Version 1.6.9

Feb. 11, 2025

fix app.manifest permission
add new action lookup for "start"

Version 1.6.8

May 10, 2024

update version to stay active

Version 1.6.7

Nov. 24, 2021

add a pattern for 2601F and future xK models.

Version 1.6.6

Sept. 8, 2021

v1.6.6: Sept 2021
- add alias for legacy source types

Version 1.6.5

Aug. 13, 2021

v1.6.5: Aug 2021
- splunk proposal for better CIM compliance
- map detected in action lookup to allowed

Version 1.6.4

June 3, 2021

fix session throughput miscalculation caused by long session.

Version 1.6.3

April 1, 2021

correct action lookups
update references of fgt to fortigate

Version 1.6.2

Dec. 10, 2019

add 2 more action mapping
- fix deprecated field alias
- process anomaly as utm log and considered it as attack

Version 1.6.1

Aug. 2, 2019

fix bugs in REGEX to match FortiGate logs.
fix app precheck errors and warnings according to new standard.

Version 1.6.0

Feb. 27, 2018

fix bug for FOS5.6 logs with double quotes
add regex support for FGT6K device ID
fix app inspection issues in version numbering, csv format.

Version 1.6

Feb. 23, 2018

fix bug for FOS5.6 logs with double quotes
add regex support for FGT6K device ID

Version 1.5

July 6, 2017

v1.5: Jul 2017
- Modify regex to accommodate FOS5.6 log format

Version 1.4

Oct. 11, 2016

v1.4: Oct 2016
- Modify regex to accommodate logs from other forwarding sources, which don't have date and time fields

Version 1.3

May 24, 2016

Changes for certification, no bug fixes or features.

Version 1.2

Feb. 26, 2016

v1.2: Feb 2016
- Fix FortiWifi Platform Log problem
- Change for splunk certification
- Remove default sourcetype wildcard matching, use fgt_log sourcetype instead
- Add csv log format support
Note: From version 1.2, the Splunk TA(Add-on) for fortigate no longer match wildcard source or sourcetype to extract fortigate log data, a default sourcetype fgt_log is specified in default/props.conf instead, please follow the instruction in documentation to configure your input and props.conf for the App and TA(Add-on).

Version 1.0

Aug. 19, 2015

v1.0: Aug 2015
- Initial release

72,714

Downloads

Share Subscribe

Version

Built by

Fortinet Inc

Support

Not Supported

Questions on Splunk Answers Flag as inappropriate