Seqrite XDR

FortiAnalyzer Connector

Print Friendly, PDF & Email

FortiAnalyzer Firewall Configuration Requirements and Setup

By following these steps, you can successfully configure the FortiAnalyzer Connector and the FortiGate Firewall to forward events to your specified machine.

FortiAnalyzer Ingestion Connector Configuration

  1. Navigate to the Connector:
      • Navigate to the Connector page in the XDR portal and select Ingestion.
    • Select Event Connector.
    • Click Configure.
  2. Configure the Event Connector:
    • Enter the Collector ID and Password.
    • Select Validate and Save.

FortiAnalyzer Connector Requirements

  1. Static IP Address:
    • Ensure the machine has a static IP address allocation.
  2. Install Docker Engine:
    • Install Docker from Get Docker.
    • Start the Docker service using the following command: 
      systemctl start docker
  3. Collect System IP Address:
    • Note the IP address of the system.
  4. Open Firewall Ports:
    • For Linux and macOS: 
      # Opening port in Linux system firewall
firewall-cmd --permanent --add-port=514/udp
firewall-cmd --reload
    • For Windows:
      • Open the PowerShell command prompt and execute:
      # Opening port in Windows system firewall
New-NetFirewallRule -DisplayName "Allow UDP Port 514" -Direction Inbound -Protocol UDP -LocalPort 514 -Action Allow
New-NetFirewallRule -DisplayName "Allow UDP Port 514" -Direction Outbound -Protocol UDP -LocalPort 514 -Action Allow
  5. Download Docker Image:
    • Download the Docker image tar file from the given URL: 
      https://hawkkhunt.seqrite.com/edr/v1/edr/ga/qa/edr/v10/event_collector/download?collectorId=<As created above>&password=<As created above>
  6. Load Docker Image:
    • Load the Docker image using: 
      docker load --input <path to hhcollector-1.0.0.tar file>
  7. Start the Agent:
    • Start the agent using the command: 
      docker run -p 514:514/udp --env COLLECTOR_ID=<created collector id> hhcollector

FortiAnalyzer Configuration Requirements

  1. Event Collector Setup:
    • Ensure the event collector is up and running.
  2. Configure FortiGate Firewall:
    • Go to the FortiGate firewall interface.
    • Navigate to Logs & Report > Log Settings.
    • Under Global Settings, enable:
      • Address
      • Event Logging
      • Local Traffic Logging
      • Syslog Logging
    • Enter the IP address of the FortiAnalyzer.
    • Click Apply. FortiAnalyzer Step1
  3. Add Device to FortiAnalyzer:
    • Go to the FortiAnalyzer interface.
    • Navigate to Device Manager.
    • Click Add Device.
    • Enter the Name and Serial Number (FortiGate Firewall Serial Number).
    • Click Next, then Finish.
      FortiAnalyzer Step2
  4. Configure Log Forwarding:
    • Go to System Services.
    • Navigate to Advanced and choose Log Forwarding Settings.
    • Under Syslog Server, select Add.
    • Set the event collector machine IP and UDP port 514 as the target for syslog log forwarding.
      FortiAnalyzer Step 3
      FortiAnalyzer Step 4
      FortiAnalyzer Step 5
  5. Save and Apply Settings:
    • Ensure all configurations are saved and applied.
Was this page helpful?
Yes No