1. Blumira Support
  2. Deploying Blumira
  3. Firewall Integrations

Quick Links

Integrating with Fortinet FortiGate Firewall

Overview

Blumira integrates with Fortinet FortiGate Firewalls to detect cybersecurity threats across your environment, combining SIEM log analysis and AI-powered investigation to provide automated or actionable response.

When Blumira’s dynamic blocklist capabilities are configured with your firewall, Blumira can provide automated blocking of known threats, automatically add new block rules when threats are detected, and provide blocking based on Blumira’s community of customers that have detected new threats.

Learn more about enabling Blumira’s blocklists to block malicious source IP addresses and domains for automated threat response.

Also see Fortinet's external threat list setup instructions.

Before you begin

This integration requires a Blumira sensor to be installed before you can complete the steps below. Ensure that you complete the steps in Building a Blumira sensor with Ubuntu before you continue.

Gather the IP address of your Blumira sensor to use when configuring the external service.

To find and copy the IP address of the sensor, do the following:

  1. In Blumira, navigate to Ingestion > Sensors.
  2. Click the sensor row to open the details page.
  3. In the Overview section, next to Host Details, copy the IP address.

Configuring log forwarding for Fortinet FortiGate Firewalls

To configure Fortinet FortiGate firewalls to send logs to a Blumira sensor, you can either use the graphical user interface (GUI) or you can use the FortiGate command line interface (CLI).

To configure log forwarding from the FortiGate GUI, do the following:

  1. In FortiGate, navigate to Log & Report > Log Settings.
  2. Click the slider next to Send logs to syslog to set it to Enabled.
  3. In the IP Address/FQDN box, type the IP address of your Blumira sensor.
  4. Click Apply.

To configure log forwarding using the CLI, log into the CLI and enter the following commands, which include the IP address of your Blumira sensor:

config log syslogd setting
set status enable
set server x.x.x.x [the IP address of the Blumira sensor]
set source-ip x.x.x.x [the firewall’s internal IP address]
set port 514
set facility user
set reliable disable (This command is version specific)
end
Note: You can configure FortiGate to send logs to up to four sensors. Replace ‘syslogd’ with syslogd2, sylsogd3, or syslogd4 on the first line to configure each sensor. 
Also, if the above set reliable disable command does not work, you can try set mode udp.

Most FortiGate features are enabled for logging by default, but you can enable Traffic, Web, and URL Filtering with the following commands:

config log syslogd filter
set traffic enable
set web enable
set url-filter enable
end

Reference: For more information on logging to a remote Syslog server, see Fortinet’s Technical Tip: Configuring multiple Syslog servers article.

Related Articles