icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Fortinet FortiGate App for Splunk
SHA256 checksum (fortinet-fortigate-app-for-splunk_14.tgz) 173cf3e684bb517c057dea2f7b1dd5576bff673bf8de2c1db0724aac113c3fd2 SHA256 checksum (fortinet-fortigate-app-for-splunk_13.tgz) 04f57ae12b352faad067c48bbb1a0b83e401a1f6fa7616d6f773d93b0e9b3133 SHA256 checksum (fortinet-fortigate-app-for-splunk_12.tgz) d58f9a879e0beefd5861c37ca1df9ea9541054312ea0ea98884e61cca935c11d SHA256 checksum (fortinet-fortigate-app-for-splunk_11.tgz) fe388e3e9fd096ab5eb434693223fee640ce3328a4a7cc5050c1084c7b7362bc SHA256 checksum (fortinet-fortigate-app-for-splunk_10.tgz) d0bbda602db23e607fa9b439a306c2113fbf0c6db2486e71f5d4b50b14606a9f
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Fortinet FortiGate App for Splunk

Overview
Details
The Fortinet FortiGate App for Splunk provides datacenter threat visualizations to identify anomalous behavior and helps de-duplicate threat feed data to enable the fast creation and consolidation of analytics. The Fortinet FortiGate App for Splunk properly maps log fields from FortiGate appliances and interchanges into a common format to Splunk intelligence framework.
The Fortinet FortiGate App for Splunk verifies current and historical logs, administrative events, basic firewall, unified treat management, anti-virus, IPS and application controls with Fortinet VDOM enabled. The integrated dashboard enables layered defense with network security, better application threat detection and management through rich data logs from Fortinet physical and virtual appliances.

The Fortinet FortiGate App for Splunk supports logs from FortiOS 5.0/5.2/5.4. FortiOS 5.6 is supported beginning from Fortinet FortiGate Add-on for Splunk 1.5 version.

Fortinet FortiGate App for Splunk

Next Generation and Datacenter Firewalls

Overview

The Fortinet FortiGate App for Splunk provides real-time and historical dashboard and analytical reports on traffic, threats, wireless APs, systems, authentications and VPNs for all products across the FortiGate physical and virtual appliances. The integrated solution pinpoints threats and attacks with faster response times without long exposure in unknown troubleshooting state.

With the massive set of logs and big data aggregation through Splunk, the Fortinet FortiGate App for Splunk is certified with pre-defined threat monitoring and performance indicators that guide network security practices a lot easier in the datacenter. As the de facto trending dashboard for many enterprises or service providers, IT administrators can also modify the regular expression query to custom fit for advanced security reporting and compliance mandates.

This document describes how to set up Fortinet FortiGate App for Splunk as well as configuration on the appliances to enable log shipping to Splunk.

Dependencies

The Fortinet FortiGate App depends on the Add-on in order to work properly, so please make sure Fortinet FortiGate Add-on for Splunk has been installed before you proceed.

Also, please check whether FortiGate FOS is 5.0 version or later.

Configuration Steps

1. Install Fortinet FortiGate Add-on for Splunk on search head, indexer, forwarder or single instance Splunk server:

Note: There is a 3rd party add-on for Fortinet named Fortinet Fortigate with FortiOS 5 Add-On with folder name TA-fortinet, which has conflict with Fortinet FortiGate Add-on for Splunk, so you need to disable the 3rd party add-on before you proceed.

There are three ways to install the add-on:

  1. Install from Splunk web UI: Manage Apps->Browse more apps->Search keyword “Fortinet” and find the add-on with Fortinet logo->Click “Install free” button->Click restart splunk service.
  2. Install from file on Splunk web UI: Manage Apps->Install from file->Upload the .tgz file which is downloaded from https://splunkbase.splunk.com/apps ->check the upgrade box-> click restart splunk service.
  3. Install from file on Splunk server CLI interface: Extract the .tgz file->Place the TA-fortinet folder under $SPLUNK_HOME/etc/apps-> Restart Splunk service.

2. Install Fortinet FortiGate App for Splunk on search head, indexer, forwarder or single instance Splunk server:

There are three ways to install the app:

  1. Install from Splunk web UI: Manage Apps > Browse more apps > Search keyword “Fortinet” > Click “Install free” button > Click Restart Splunk Service.
  2. Install from file on Splunk web UI: Manage Apps > Install from file > Upload the .tgz file which is downloaded from https://splunkbase.splunk.com/app > Click Restart Splunk service.
  3. Install from file on Splunk server CLI interface: Extract the .tgz file->Place the SplunkAppForFortinet folder under $SPLUNK_HOME/etc/apps > Restart Splunk Service.

3. Add data input on Splunk server:

Note: From version 1.2, the Splunk TA(Add-on) for fortigate no longer match wildcard source or sourcetype to extract fortigate log data, a default sourcetype fgt_log is specified in default/props.conf instead, please follow the instruction below to configure your input and props.conf for the App and TA(Add-on).

Through Splunk Web UI:
Option1: Adding a UDP input
Settings->Data Input->UDP
Port: 514 (Example, can be modified according to your own plan)
Sourcetype: fgt_log (Example, can be modified according to your own plan but need to match the sourcetype stanza in props.conf)

Option2: Adding a file input
Settings->Data Input->Files & Directories
Browse: Select the file directory
Select sourcetype: if fgt_log is not created yet, click Save As -> Name:fgt_log
Leave others unchanged and save.

Note: the UDP port, 514 in this example should be opened in firewall for logs to pass through.

Fortinet FortiGate Add-On for Splunk will by default automatically extract FortiGate log data from inputs with sourcetype 'fgt_log'.
If you want to configure it to extract a self-defined sourcetype, copy the props.conf
in $SPLUNK_HOME/etc/apps/Splunk_TA_fortinet_fortigate/default/props.conf to
$SPLUNK_HOME/etc/apps/Splunk_TA_fortinet_fortigate/local/props.conf and change the source stanza.
replace [fgt_log] with [fortigate], for instance.

Note: Please use notepad++ to edit the configuration files if you are working on a Windows operating system. Windows's default Notepad can not display or save the configuration file in proper format.

If a customized index is used for the input, it also needs to be added in admin user's default authorized list of indexes to search.
In $SPLUNK_HOME/etc/system/local/authorize.conf

[role_admin]
srchIndexesDefault = fgt;main
srchMaxTime = 8640000

In this example, fgt is the index for my fortigate log input.

Restart Splunk service for the change to take effect.

4. Configure FortiGate to send logs to Splunk server:

config log syslogd setting (or 'config log syslogd2/3' setting if syslogd is occupied)   
set status enable   
set server "x.x.x.x"   
set port 514 (Example. Should be the same as in data input of Splunk server)   
end

5. Verify that logs are received on Splunk server:

Alt text

At this point, you will see data parsed and presented on Fortinet Network Security dashboard.

Alt text

Fortinet FortiGate App for Splunk delivers the data visibility throughout Fortinet’s next-generation firewalls and the analysis for advanced security reporting without error prone manual process.


Troubleshooting

  • Check whether FortiGate FOS is 5.0 version or later.
  • Go back to Configuration Steps to double check if every step has been followed.
  • Make sure port 514 in this case is opened on firewalls throughout the log's data path.
  • Double-check Splunk server and FortiGate devices are synchronized in time.
  • Make sure traffic logging is enabled in policies on FortiGate configuration, for example:
config firewall policy   
edit 1   
set logtraffic all   
end   
end
  • If you see graphs on first page - Fortinet Network Security but there is none on rest of the dashboards, you can try to extend the time range. If there is graph after increasing the time range, the probable cause is data model is not accelerated completely yet. You can verify this by looking at Settings > Data Model > Fortinet FoS Log. Expand. If the percentage is low, it means Splunk server is limited on resources. It may take some time for the data model acceleration to catch up.
  • Sometimes, the logs received by syslogd can be transformed and would not match the regex in the app, so no data will be shown on dashboards. Here are the regex in transforms.conf of fortigate add-on Splunk_TA_fortinet_fortigate.
devid=\"?F[G|W|6K].+type=\"?traffic
devid=\"?F[G|W|6K].+type=\"?utm
devid=\"?F[G|W|6K].+type=\"?event

Make sure the log can match those regex. If not, you can also make slight change on the regex to fit the log.
Please note in FOS 5.6 version, the type field includes "", so in order for the fortigate logs to be recognized, please upgrade Fortinet FortiGate Add-on for Splunk to 1.5 version.
The App only supports logs from FOS 5.0 and higher versions. Older versions have different log format so you might probably encouter problems.
If still no luck getting the dashboards to show anything, please try searching for "host=x.x.x.x" where x.x.x.x is the IP or the hostname of the machine reporting the log, if there are any results with sourcetype=fgt_traffic, fgt_event or fgt_utm, you just need a little bit of patience, if not, please take a screenshot and send it to the email below.

For more information on the App support, email splunk_app@fortinet.com for further support.

Release Notes

Version 1.4
Oct. 17, 2016

v1.4: Oct 2016
- Optimize datamodel to make acceleration faster and size smaller
- add default earliest time 1 month for acceleration
- Remove deprecated tags to pass certification precheck

Version 1.3
May 24, 2016

Changes for certification, no bug fixes or feature change.

Version 1.2
April 6, 2016

v1.2: Feb 2016
- Changes for Splunk certification
Note: From version 1.2, the Splunk TA(Add-on) for fortigate no longer match wildcard source or sourcetype to extract fortigate log data, a default sourcetype fgt_log is specified in default/props.conf instead, please follow the instruction in documentation to configure your input and props.conf for the App and TA(Add-on).

Version 1.1
Aug. 20, 2015

v1.1: Aug 2015
- Change App Name to "Fortinet Fortigate App for Splunk"
- Move data input processing to "Fortinet Fortigate
Add-On for Splunk"
- Change datamodel and dashboard search strings to fit
the Add-On sourcetypes and fieldnames

Version 1.0
July 24, 2015

1,312
Installs
10,902
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2019 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.