Connecting Fortinet Firewalls to ContraForce

This is an overview of the steps required to connect Fortinet firewalls to ContraForce.

Log forwarding can be configured in Fortinet/FortiAnalyzer through two different methods. Syslog forwarding can be setup via the Fortinet interface or the command line. 

There are two different methods that can be used to connect a Fortinet firewall to ContraForce. The method to be used depends on the FortiOS version being used by the firewall. Older FortiOS versions (5 and below) require the command line to be used to set up log forwarding to ContraForce. Newer FortiOS versions (6 and above) allow for log forwarding to be setup within the user interface of FortiAnalyzer. Both methods are outlined below.

Using FortiAnalyzer User Interface

Edit Log Forwarding

1. From the home page, navigate to System Settings. 
2. In the left pane, navigate to Log Forwarding.
3. Within the Log Forwarding page, select + Create New. 
4. Under Edit Log Forwarding, fill out the details to setup log forwarding to ContraForce.
   1. Name: ContraForce
   2. Status: Enabled
   3. Remote Server Type: Common Event Format (CEF) 
   4. Server FQDN/IP: <VM Collector IP Address>
   5. Server Port: 514
   6. Reliable Connection: Enabled

1. After the log forwarding details are completed, log forwarding filters and encryption can also be adjusted.
   1. Log Filters: Enabled
   2. Log messages that match: All
   3. Set Encryption Algorithm: High
2. Once completed click "Ok."
3. After completing the setup, let your ContraForce Customer Success representative know and they will confirm that the connection has been made to ContraForce. 

Using the Command Line

1. Navigate to the Fortinet Command Line
   1. config log syslogd setting
      1. set status enable
   2. set format cef
   3. set port 514
   4. set mode reliable 
   5. set server <VM Collector IP Address>
   6. set enc-algorithm high
   7. end