Skip to content

Fortinet FortiGate

NOTE: Be sure to make a backup of your current FortiGate configuration before performing any changes. From the GUI: System > Configuration > Backup. From the CLI: execute backup config flash <revision-comment>.

Configure Logging Using the CLI#

text
config log syslogd setting
    set status enable
    set server "<INGESTER_IP>"
    set port <Solcyber will provide you with the specifc port to use>
    set mode udp
    set facility local7
    set format cef
    set enc-algorithm disable
end

config log syslogd filter
    set severity information
    set forward-traffic enable
    set local-traffic enable
    set multicast-traffic enable
    set sniffer-traffic enable
    set anomaly enable
    set voip enable
    set filter-type include
end

config log eventfilter
    set event enable
    set system enable
    set vpn enable
    set user enable
    set router enable
    set wireless-activity enable
    set endpoint enable
    set ha enable
    set compliance-check enable
    set security-rating enable
end

To log allowed traffic on an existing firewall policy from the CLI:

text
config firewall policy
    edit <policy-id>
        set logtraffic all
    next
end

Repeat for each policy ID you want logged. Use show firewall policy to list policy IDs.

NOTE: FortiGate supports up to four syslog server profilessyslogd, syslogd2, syslogd3, and syslogd4. The syntax is identical; substitute the profile name in the config log syslogd<N> setting and config log syslogd<N> filter blocks if SolCyber has asked you to send to multiple destinations.

Verify the Configuration on the FortiGate#

From the FortiGate CLI, confirm the settings were applied:

text
show log syslogd setting
show log syslogd filter
diagnose log test

diagnose log test emits a batch of synthetic events across all categories — useful for end-to-end verification without waiting for live traffic.