Integrate FortiGate with Seqrite XDR using Syslog

 

This topic describes how to collect FortiGate logs in HawkHunt XDR by using the Event Collector agent and syslog.

The Event Collector agent runs as a Docker container and pushes events in real time to the XDR platform.

Prerequisites

 

Before you begin, make sure that:

• You have access to the HawkHunt XDR portal and permission to configure connectors.

• You have a virtual machine (Linux or Windows) that:

  • Is reachable from the FortiGate firewall.

  • Meets the minimum resource configuration:

    • 1 vCPU (or more)
    • 2 GB RAM (or more for production workloads)

• Docker Engine is installed and running on the broker machine (Linux/Windows).

• UDP port 514 is open on:

  • The broker machine OS firewall.
  • Any intermediate network firewalls between FortiGate and the broker machine.

• You have a FortiGate instance with a valid license or trial license.

---

Step 1: Configure the Event Collector connector in XDR

 

1. Sign in to the HawkHunt XDR portal.

2. Navigate to the connector configuration page.

3. Create a new connector for the Event Collector:

   • Specify a Collector ID.
   • Specify a Password.

4. Record the Collector ID and password. You need them when you download and run the Docker image.

Example

• Collector ID: testvm1
• Password: Admin@123

---

Step 2: Prepare the broker machine and Docker

 

You can run the Event Collector agent on a Linux or Windows virtual machine.

2.1 Ensure Docker is installed and running

 

1. Install Docker Engine from the official Docker documentation:
   https://docs.docker.com/get-docker/

2. Verify that the Docker service is running:

    

    

   systemctl start docker

3. Note the IP address of the broker machine. You will configure FortiGate to send syslog traffic to this IP.

---

Step 3: Open UDP port 514 on the broker machine

 

The Event Collector listens on UDP port 514 for syslog traffic.

3.1 Linux firewall (firewalld)

 

Run the following commands as root or with sudo:

 

 

# Open UDP port 514 permanently firewall-cmd --permanent --add-port=514/udp # Reload firewall configuration firewall-cmd --reload

3.2 Windows firewall (PowerShell)

 

Run PowerShell as Administrator and execute:

 

 

# Allow inbound traffic on UDP port 514 New-NetFirewallRule -DisplayName "Allow UDP Port 514" -Direction Inbound -Protocol UDP -LocalPort 514 -Action Allow # Allow outbound traffic on UDP port 514 New-NetFirewallRule -DisplayName "Allow UDP Port 514" -Direction Outbound -Protocol UDP -LocalPort 514 -Action Allow

---

Step 4: Download the Event Collector Docker image

 

Use the Collector ID and password you created in the XDR portal.

The general download URL format is:

 

 

<Endpoint>/qa/edr/v10/event_collector/download?collectorId=<collectorId>&password=<password>

Environment-specific examples:

• QA

   

   

  https://13krs5kik6.execute-api.ap-south-1.amazonaws.com/qa/edr/v10/event_collector/download?collectorId=testqa1&password=Admin@123

• Pre-production

  • Base endpoint:
    https://9ao2no5g6j.execute-api.ap-south-1.amazonaws.com/preprod20

  • Example download URL:

     

     

    https://9ao2no5g6j.execute-api.ap-south-1.amazonaws.com/preprod20/edr/v10/event_collector/download?collectorId=preprodvm1&password=Admin@123

• Production

  • Base endpoint:
    https://7cqj27igr4.execute-api.ap-south-1.amazonaws.com/ga

Replace collectorId and password with your actual values.

Save the downloaded .tar file (for example, hhcollector-1.0.0.tar) on the broker machine.

---

Step 5: Load and run the Event Collector Docker image

 

5.1 Load the Docker image

 

From the directory where the .tar file is stored, run:

 

 

docker load --input <path-to-hhcollector-1.0.0.tar>

Example

 

 

docker load --input ./hhcollector-1.0.0.tar

5.2 Start the Event Collector container

 

Run the container and expose UDP port 514:

 

 

docker run -p 514:514/udp --env COLLECTOR_ID=<collectorId> hhcollector

Example

 

 

docker run -p 514:514/udp --env COLLECTOR_ID=testqa1 hhcollector

The Event Collector is now ready to receive syslog events on UDP port 514.

---

Step 6: Obtain a FortiGate license (trial)

 

If you do not already have a FortiGate license, you can create a trial account.

1. Go to the Fortinet Support Portal:
   https://support.fortinet.com/cred/#/sign-up

2. Register with a username that:

   • Has at least 9 characters.
   • Contains alphanumeric characters and a special character.

3. Complete the sign-up and activate your trial license.

Example account

• Email: skpert-test1@yopmail.fr
• Password: Perf@123

---

Step 7: Deploy and run the FortiGate virtual appliance

 

To deploy FortiGate on a virtual machine, follow the official Fortinet video:

• YouTube link: https://www.youtube.com/watch?v=QIQ4HHFtAMwPreview

You can skip the firewall and NTP configuration in the video if you plan to configure NTP later using the commands in this topic.

---

Step 8: Configure FortiGate to forward logs to the Event Collector

 

After the Event Collector is running, configure FortiGate to send syslog logs to the broker machine.

1. Sign in to the FortiGate web interface.

2. Go to Log & Report > Log Settings (or similar, depending on version).

3. Under Global log settings, turn on Log Forwarding.

4. Add a new Syslog Server:

   • Server address: IP address of the broker machine where the Event Collector is running.
   • Port: 514
   • Protocol: UDP

5. Select the devices or log types you want to forward.

6. Save the changes.

FortiGate now sends logs to the Event Collector, which then forwards them in real time to HawkHunt XDR.

---

Optional: FortiGate time synchronization commands

 

Use the following commands on FortiGate CLI to configure basic NTP behavior:

 

 

config system ntp    set ntpsync disable    set type custom end

---

Optional: General FortiGate CLI reference commands

 

These commands can help you verify system status and interface configuration.

System status

 

 

 

get system status

Interface configuration

 

 

 

config system interface    edit port1        set mode static        set role wan        set alias "WAN"        set allowaccess https http ssh telnet ping    next     edit port2        set mode static        set role lan        set alias "internal"        set allowaccess https http ssh telnet ping    next end

Show interfaces

 

 

 

show system interface get system interface physical

---

Example: Complete integration flow

 

This section walks through a simple end-to-end example.

1. Create connector in XDR

   • In HawkHunt, create an Event Collector connector with:

     • Collector ID: testqa1
     • Password: Admin@123

2. Prepare broker machine

   • Deploy a Linux VM (2 vCPU, 4 GB RAM).
   • Install Docker from https://docs.docker.com/get-docker/.
   • Ensure Docker is running: systemctl start docker.
   • Note the VM IP: 10.10.10.50.

3. Open port 514

   • On Linux VM:

      

      

     firewall-cmd --permanent --add-port=514/udp firewall-cmd --reload

4. Download Docker image (QA)

    

    

   https://13krs5kik6.execute-api.ap-south-1.amazonaws.com/qa/edr/v10/event_collector/download?collectorId=testqa1&password=Admin@123

   • Save file as hhcollector-1.0.0.tar on /opt/hh/.

5. Load and run container

    

    

   cd /opt/hh/ docker load --input ./hhcollector-1.0.0.tar docker run -p 514:514/udp --env COLLECTOR_ID=testqa1 hhcollector

6. Configure FortiGate log forwarding

   • In FortiGate UI:

     • Go to Log & Report > Log Settings.

     • Enable Log Forwarding.

     • Add syslog server:

       • Server: 10.10.10.50
       • Port: 514
       • Protocol: UDP

     • Save.

7. Verify in XDR

   • In HawkHunt XDR, open the relevant activity/logs view.
   • Confirm that events from the FortiGate device begin to appear.