Overview
Blumira’s modern SIEM platform integrates with Fortinet Fortigate Firewalls to stream security event logs to the Blumira service for automated threat detection and actionable response.
When Blumira’s dynamic blocklist capabilities are configured with your firewall, Blumira can provide automated blocking of known threats, automatically add new block rules when threats are detected, and provide blocking based on Blumira’s community of customers that have detected new threats.
Learn more about enabling Blumira’s blocklists to block malicious source IP addresses and domains for automated threat response.
Also see Fortinet's external threat list setup instructions.
Before you begin
This integration requires a Blumira sensor to be installed before you can complete the steps below. Ensure that you complete the steps in Building a Blumira sensor with Ubuntu before you continue.
Gather the IP address of your Blumira sensor to use when configuring the external service.
To find and copy the IP address of the sensor, do the following:
- In Blumira, navigate to Settings > Sensors.
- Click the sensor row to open the details page.
- Under Overview, in the Host Details box, copy the IP value.
Configuring log forwarding for Fortinet Fortigate Firewalls
To configure Fortinet Fortigate Firewalls to send logs to Blumira’s sensor, you can either use the graphical user interface (GUI), found in Log & Report > Log Settings, or you can use the Fortigate Command Line Interface (CLI).
Log into the CLI and enter the following commands, which include the IP address of your Blumira sensor:
config log syslogd setting set status enable set server x.x.x.x [the IP address of the Blumira sensor]
set source-ip x.x.x.x [the firewall’s internal IP address] set port 514 set facility user set reliable disable (This command is version specific) end
Note: You can configure Fortigate to send logs to up to four sensors. Just replace ‘syslogd’ with syslogd2, sylsogd3 or syslogd4 on the first line to configure each sensor.
Most Fortigate features are enabled for logging by default, but you can enable Traffic, Web, and URL Filtering with the following commands:
config log syslogd filter set traffic enable set web enable set url-filter enable end
Reference: For more information on logging to a remote Syslog server, see Fortinet’s Logging and Reporting Guide.