DEPLOYMENT GUIDE

FORTINET FORTIGATE AND SPLUNK

2

DEPLOYMENT GUIDE: FORTINET FORTIGATE AND SPLUNK

CONTENTS

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Deployment Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Architecture Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Splunk Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

Fortinet Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

3

DEPLOYMENT GUIDE: FORTINET FORTIGATE AND SPLUNK

OVERVIEW

Fortinet (NASDAQ: FTNT) is a global provider of high-performance network security and specialized security solutions that provide our customers with the power to protect and control their IT infrastructure. Our purpose-built, integrated security technologies, combined with our FortiGuard security intelligence services, provide the high performance and complete content protection our customers need to stay abreast of a constantly evolving threat landscape.

The Fortinet Security Fabric brings together all components in your network. It is Broad, Powerful and Automated. In addition to Fortinet products, the Security Fabric also integrates with 3rd Party partners to extend the power of the Security Fabric to other parts of an organization. For more information regarding our Security Fabric Partners, please refer tour Technology Alliances here: https://www.fortinet.com/partners/partnerships/alliance-partners.html

Splunk Inc. (NASDAQ: SPLK) is the market leader in analyzing machine data to deliver Operational Intelligence for security, IT and the business. Splunk® software provides the enterprise machine data fabric that drives digital transformation.

Splunk Enterprise makes it simple to collect, analyze and act upon the untapped value of the big data generated by your technology infrastructure, security systems and business applications—giving you the insights to drive operational performance and business results.

The FortiGate App for Splunk combines the best security information and event management (SIEM) and threat prevention by aggregating, visualizing and analyzing hundreds of thousands of log events and data from FortiGate physical and virtual firewall appliances. The App dramatically improves the detection, response and recovery from advanced threats by providing broad security intelligence from data that is collected across the cloud.

DEPLOYMENT PREREQUISITES

1. Fortinet FortiGate version 5.6 2. Fortinet FortiGate App for Splunk version 1.4 3. Fortinet FortiGate Add-On for Splunk version 1.5 4. Splunk version 6.x (tested with 6.6.2) 5. A splunk.com username and password

Note: If using an older version of Fortinet FortiGate App for Splunk see the Troubleshooting Section at the end of this article: https://splunkbase.splunk.com/app/2800/#/details

ARCHITECTURE OVERVIEW

4

DEPLOYMENT GUIDE: FORTINET FORTIGATE AND SPLUNK

SPLUNK CONFIGURATION

To install Splunk Apps Click the gear

Click Browse more apps and search for “Fortinet”

Install the Fortinet FortiGate Add-On for Splunk. Enter your splunk.com username & password.

Then install the Fortinet FortiGate App for Splunk. Enter your splunk.com username & password.

5

DEPLOYMENT GUIDE: FORTINET FORTIGATE AND SPLUNK

From Settings click Data Inputs

Under Data Inputs create a new UDP input by clicking Add new on the right

Create a UDP Data Source on Port 514

6

DEPLOYMENT GUIDE: FORTINET FORTIGATE AND SPLUNK

Click New

Under Input Settings set the Source Type to “fgt_log” Set the Source Type Category to Custom

FORTINET CONFIGURATION

Configure FortiGate to send syslog to the Splunk IP address Under Log & Report click Log Settings

7

DEPLOYMENT GUIDE: FORTINET FORTIGATE AND SPLUNK

Enable Send Logs to Syslog Enter the IP Address or FQDN of the Splunk server Select the desired Log Settings Click Save

Note: If the primary Syslog is already configured you can use the CLI to configure additional Syslog servers

The configuration is now complete

DEPLOYMENT GUIDE: FORTINET FORTIGATE AND SPLUNK

Copyright © 2018 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

GLOBAL HEADQUARTERSFortinet Inc.899 Kifer RoadSunnyvale, CA 94086United StatesTel: +1.408.235.7700www.fortinet.com/sales

EMEA SALES OFFICE905 rue Albert Einstein06560 ValbonneFranceTel: +33.4.8987.0500

APAC SALES OFFICE300 Beach Road 20-01The ConcourseSingapore 199555Tel: +65.6513.3730

LATIN AMERICA HEADQUARTERSSawgrass Lakes Center13450 W. Sunrise Blvd., Suite 430Sunrise, FL 33323Tel: +1.954.368.9990

February 7, 2018170843-0-0-EN

TROUBLESHOOTING

What to do if data doesn’t show up in the Dashboards? Go to Settings > Data Inputs. Verify that you have a UDP data input enabled on port 514. Go to Settings > Indexes. Verify that your Index (typically main) is receiving data and that the Latest Event is recent. If not, verify the FortiGate Syslog settings are correct and that it can reach the Splunk server.

SUMMARY

The Fortinet FortiGate App for Splunk solution delivers advanced security reporting and analysis in the datacenter that benefits operational reporting, as well as providing simplified and configurable dashboard views across Fortinet firewall appliances, physical and virtual. The FortiGate add-on enables Splunk Enterprise and Enterprise Security to ingest or map security and traffic data collected from FortiGate physical and virtual appliances across domains.

Solution Brief: https://www.fortinet.com/content/dam/fortinet/assets/alliances/SolutionBrief-Fortinet-Splunk.pdf

Fortinet FortiGate App for Splunk: https://splunkbase.splunk.com/app/2800/

Fortinet FortiGate Add-On for Splunk: https://splunkbase.splunk.com/app/2846/