Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Fortinet FortiGate Add-On for Splunk
MD5 checksum (fortinet-fortigate-add-on-for-splunk_14.tgz) e5023e260f4a8a0925c2ab26883bfaed MD5 checksum (fortinet-fortigate-add-on-for-splunk_13.tgz) ffdf160a1d8ee30ac83f764b048cdfba
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Fortinet FortiGate Add-On for Splunk

Splunk Certified
Overview
Details
Fortinet FortiGate Add-On for Splunk is the technical add-on (TA) developed by Fortinet, Inc. The add-on enables Splunk Enterprise to ingest or map security and traffic data collected from FortiGate physical and virtual appliances across domains. The key features include:

• Streamlining authentication and access from FortiGate such as administrator login, user login, VPN termination authentication into to Splunk Enterprise Security Access Center

• Mapping FortiGate virus report into Splunk Enterprise Security Endpoint Malware Center

• Ingesting traffic logs, IPS logs, system configuration logs and Web filtering data etc.

Fortinet FortiGate Add-On for Splunk provides common information model (CIM) knowledge, advanced “saved search”, indexers and macros to use with other Splunk Enterprise apps such as Splunk App for Enterprise Security.

Fortinet FortiGate Add-on for Splunk

Next Generation and Datacenter Firewalls

Overview

Fortinet FortiGate Add-On for Splunk is the technical add-on (TA) developed by Fortinet, Inc. The add-on enables Splunk Enterprise to ingest or map security and traffic data collected from FortiGate physical and virtual appliances across domains. The key features include:

• Streamlining authentication and access from FortiGate such as administrator login, user login, VPN termination authentication into to Splunk Enterprise Security Access Center

• Mapping FortiGate virus report into Splunk Enterprise Security Endpoint Malware Center

• Ingesting traffic logs, IPS logs, system configuration logs and Web filtering data etc.

Fortinet FortiGate Add-On for Splunk provides common information model (CIM) knowledge, advanced “saved search”, indexers and macros to use with other Splunk Enterprise apps such as Splunk App for Enterprise Security.

Dependencies

If used with apps that are based on CIM, Splunk Common Information Model Add-on will need to be installed.

Please make sure FortiGate FOS version is 5.0 or later.

Configuration Steps

Install Fortinet FortiGate Add-on for Splunk on search head, indexer, forwarder or single instance Splunk server:

Note: There is a 3rd party add-on for Fortinet named Fortinet Fortigate with FortiOS 5 Add-On with folder name TA-fortinet, which has conflict with Fortinet FortiGate Add-on for Splunk, so you need to disable the 3rd party add-on before you proceed.

There are three ways to install the add-on:

  1. Install from Splunk web UI: Manage Apps->Browse more apps->Search keyword “Fortinet” and find the add-on with Fortinet logo->Click “Install free” button->Click restart splunk service.
  2. Install from file on Splunk web UI: Manage Apps->Install from file->Upload the .tgz file which is downloaded from https://splunkbase.splunk.com/apps ->check the upgrade box-> click restart splunk service.
  3. Install from file on Splunk server CLI interface: Extract the .tgz file->Place the Splunk_TA_fortinet_fortigate folder under $SPLUNK_HOME/etc/apps-> Restart Splunk service.

Add data input on Splunk server:

Note: From version 1.2, the Splunk TA(Add-on) for fortigate no longer match wildcard source or sourcetype to extract fortigate log data, a default sourcetype fgt_log is specified in default/props.conf instead, please follow the instruction below to configure your input and props.conf for the App and TA(Add-on).

Through Splunk Web UI:
Settings->Data Input->UDP
Port: 514 (Example, can be modified according to your own plan)
leave other parameters as is.

Note: the UDP port, 514 in this example should be opened in firewall for logs to pass through.

Fortinet FortiGate Add-On for Splunk will by default automatically extract FortiGate log data from inputs with sourcetype 'fgt_log'.
If you want to configure it to extract a self-defined sourcetype, copy the props.conf
in $SPLUNK_HOME/etc/apps/Splunk_TA_fortinet_fortigate/default/props.conf to
$SPLUNK_HOME/etc/apps/Splunk_TA_fortinet_fortigate/local/props.conf and change the source stanza.

replace [fgt_log] with [fortigate], for instance.

Restart Splunk service for the change to take effect.

Verify the Add-on in Enterprise Security App

Available dashboards in Enterprise Security App supported by Fortinet Fortigate Add-on for Splunk.

  1. Security Domain->Access->Access Center
  2. Security Domain->Endpoint->Malware Center
  3. Security Domain->Network->Traffic Center
  4. Security Domain->Network->Intrusion Center
  5. Security Domain->Network->Web Center
  6. Security Domain->Network->Network Changes
  7. Security Domain->Network->Port & Protocol Tracker
  8. Security Domain->Identity->Session Center

For more information on the App support, email splunk_app@fortinet.com.

Release Notes

Version 1.4
Oct. 11, 2016

v1.4: Oct 2016
- Modify regex to accommodate logs from other forwarding sources, which don't have date and time fields

Version 1.3
May 24, 2016

Changes for certification, no bug fixes or features.

695
Installs
6,207
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

Splunk Certification Program

Splunk's App Certification program uses a specific set of criteria to evaluate the level of quality, usability and security your app offers to its users. In addition, we evaluate the documentation and support you offer to your app's users.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2017 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.