Fortinet FortiGate Next Generation Firewall

Infinity XDR Extended Detection & Response/XPR Extended Prevention & Response analyzes the syslogs from FortiGate Next Generation Firewall for malicious activity and enforces the preventive or corrective action through the firewall.

Go to System > Certificates.
From the Import list, select Local Certificate:
1. In the Type field, select Certificate.
2. In the Certificate file field, click and upload the checkpoint-syslogs-cert.pem file.
3. In the Key file field, click and upload the checkpoint-syslogs-key.pem file.
4. In the Certificate Name field, type CheckpointSyslogs.
5. Click OK.
From the Import list, select CA Certificate:
1. In the Type field, select File.
2. In the Upload field, click and upload the checkpoint-syslogs-ca.pem file.
3. Click OK.

Click icon in the right top corner to open the CLI terminal and run:

config log syslogd setting

Note - If you have used syslogd with another integration, use syslogd2, syslogd3, or syslogd4.

set status enable

set format cef

set server<Production server IP address of the region. For EU, it is 20.76.50.141. For US, it is 20.22.126.247>

set mode reliable

set enc-algorithm high

set certificate CheckpointSyslogs

Note - Make sure the certificate name matches the name entered in the Certificate Name field. See step 2.b.iv in Integrating the Fortinet FortiGate Next Generation Firewall.

set port 6514

end

Go to Log & Report > Log Settings in the left pane and make sure the Send logs to syslog toggle button is turned on.

To check if the integration is successful, in the Infinity XDR/XPR Administrator Portal, click Overview.

If Fortigate is listed as connected in the Connectivity widget, then the integration is successful. It takes up to one hour to complete the integration.

Renewing the Certificate

The certificate expiration notification appears 60 days prior to its expiry. It is recommended that you renew the certificate before it expires.

To renew the certificates:

Go to System > Certificates.
From the Import list, select Local Certificate:
1. In the Type field, select Certificate.
2. In the Certificate file field, click and upload the checkpoint-syslogs-cert.pem file.
3. In the Key file field, click and upload the checkpoint-syslogs-key.pem file.
4. In the Certificate Name field, type CheckpointSyslogsV2.
5. Click OK.
From the Import list, select CA Certificate:
1. In the Type field, select File.
2. In the Upload field, upload checkpoint-syslogs-ca.pem file.
3. Click OK.

Click icon in the right top corner to open the CLI terminal and run:

config log syslogd setting

set certificate CheckpointSyslogsV2

end

Note - Make sure the certificate name matches the name entered in the Certificate Name field. See step 2(b(iv)) in Renewing the Certificate.

You can disable the integration to stop Infinity XDR/XPR from reading the FortiGate Next Generation Firewall's syslogs.

To re-enable the integration:

Note - Make sure you use the latest certificate name.

If you revoke a certificate, you must regenerate and upload the certificate to the FortiGate Next Generation Firewall web portal within two days.

You can use the Public Blend URL in the Infinity IoC to enforce IoCs on the FortiGate Next Generation Firewall.

To configure IoCs:

Go to Security Fabric > External Connectors.
Click Create New.
Scroll down and in the Threat Feeds section, select FortiGuard Category.

The Connector Settings window appears.
Do these:
1. Name - Name of the threat feed.
2. URI of external resources - URL indicators link copied in the step 1.i.
3. Turn off the HTTP basic authentication toggle button.
4. Turn on the Status toggle button.
5. Click OK.

Repeat steps 2.b through 2.d with these details:

FortiGate Threat Feed	Configure IoC link (from step 1.i)
IP Address	IP indicators link
Malware Hash	File indicators link

The Threat Feeds widget appears in the External Connectors page.