Fortinet FortiGate Add-On for Splunk is the technical add-on (TA) developed by Fortinet, Inc. The add-on enables Splunk Enterprise to ingest or map security and traffic data collected from FortiGate physical and virtual appliances across domains. The key features include:
• Streamlining authentication and access from FortiGate such as administrator login, user login, VPN termination authentication into to Splunk Enterprise Security Access Center
• Mapping FortiGate virus report into Splunk Enterprise Security Endpoint Malware Center
• Ingesting traffic logs, IPS logs, system configuration logs and Web filtering data etc.
Fortinet FortiGate Add-On for Splunk provides common information model (CIM) knowledge, advanced “saved search”, indexers and macros to use with other Splunk Enterprise apps such as Splunk App for Enterprise Security.
If used with apps that are based on CIM, Splunk Common Information Model Add-on will need to be installed.
Please make sure FortiGate FOS version is 5.0 or later.
Note: There is a 3rd party add-on for Fortinet named Fortinet Fortigate with FortiOS 5 Add-On with folder name TA-fortinet, which has conflict with Fortinet FortiGate Add-on for Splunk, so you need to disable the 3rd party add-on before you proceed.
There are three ways to install the add-on:
Note: From version 1.2, the Splunk TA(Add-on) for fortigate no longer match wildcard source or sourcetype to extract fortigate log data, a default sourcetype fgt_log is specified in default/props.conf instead, please follow the instruction below to configure your input and props.conf for the App and TA(Add-on).
Through Splunk Web UI:
Port: 514 (Example, can be modified according to your own plan)
leave other parameters as is.
Note: the UDP port, 514 in this example should be opened in firewall for logs to pass through.
Fortinet FortiGate Add-On for Splunk will by default automatically extract FortiGate log data from inputs with sourcetype 'fgt_log'.
If you want to configure it to extract a self-defined sourcetype, copy the props.conf
in $SPLUNK_HOME/etc/apps/Splunk_TA_fortinet_fortigate/default/props.conf to
$SPLUNK_HOME/etc/apps/Splunk_TA_fortinet_fortigate/local/props.conf and change the source stanza.
replace [fgt_log] with [fortigate], for instance.
Restart Splunk service for the change to take effect.
Available dashboards in Enterprise Security App supported by Fortinet Fortigate Add-on for Splunk.
Please note in FOS 5.6 version, the type field includes "", so in order for the fortigate logs to be recognized, please upgrade this add-on to 1.5 version.
For more information on the App support, email firstname.lastname@example.org.
v1.5: Jul 2017
- Modify regex to accommodate FOS5.6 log format
v1.4: Oct 2016
- Modify regex to accommodate logs from other forwarding sources, which don't have date and time fields
Changes for certification, no bug fixes or features.
Splunk's App Certification program uses a specific set of criteria to evaluate the level of quality, usability and security your app offers to its users. In addition, we evaluate the documentation and support you offer to your app's users.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.