Integrate Fortinet FortiGate via FortiAnalyzer with Red Canary

Before you start the Fortinet FortiGate via FortiAnalyzer integration, please make sure the following requirements are met:

• Your FortiAnalyzer login account uses the Super_User administrator profile (or a custom administrator profile with Read-Write permissions for System Settings). For more information, see the FortiAnalyzer Administration Guide.

• You have OpenSSL (version 3.1 or higher) installed on the machine where you’ll be generating your TLS certificates

The first step is to add the new integration in Red Canary.

1. From your Red Canary homepage, go to the Integrations page then click Add Integration.
   

2. On the Add integration dialog, search for the Fortinet FortiGate via FortiAnalyzer integration then click Configure.
   

3. On the Add Integration page, enter a name for the integration.
   

Setting the ingest method determines how Red Canary will receive data from the FortiAnalyzer.

1. In the Choose how Red Canary will receive this data section, select an ingest method from the Ingest Format / Method dropdown.
   

   Note

   For the Fortinet FortiGate via FortiAnalyzer integration, the only available ingest method is Syslog.

2. Click Next.

The integration will automatically provision a Red Canary endpoint to collect the logs from the FortiAnalyzer.

1. In the Configure Red Canary to retrieve data from this integration section, click Provision.
   

2. After a few seconds, Red Canary will provision a collector to receive the data sent from the FortiAnalyzer. Copy the following two values so you can enter them into the FortiAnalyzer GUI in the next step:

   • Red Canary Collector FQDN

   • Red Canary Collector Port Number

   

In order for the FortiAnalyzer to pass alerts to Red Canary, you need to set up a log forwarding service.

1. In the FortiAnalyzer GUI, go to System Settings > Advanced > Log Forwarding.

2. Under the Settings tab, click Create New in the toolbar.
   

3. On the Create New Log Forwarding dialog, give the new forwarder a name and fill out the rest of the values as follows:

   • Remote Server Type: Syslog

   • Server FQDN/IP: the Red Canary Collector FQDN provisioned in Step 3

   • Server Port: the Red Canary Collector Port Number provisioned in Step 3

   • Reliable Connection: Enabled

   

4. Click OK.

5. Click >_ in the menubar to open the FortiAnalyzer CLI Console.
   

6. Enter the following commands in the console to show a list of log forwarders:

   config system log-forward
   show

   

7. Enter the edit command with a number corresponding to the log forwarder you created. For example:

   edit 1

8. Enter the following commands to configure the selected log forwarder:

   set fwd-secure enable
   set fwd-syslog-format rfc-5424
   end

9. Exit the console.

Transport Layer Security (TLS) certificates protect the integrity of data in transit. You need to generate the necessary keys and TLS certificates to configure the FortiAnalyzer to send your logs securely to Red Canary.

Note

You can generate these certificates on any machine. While the choice of command-line shell is yours (for example, PowerShell for Windows or Terminal for macOS), the example commands shown below are for Linux.

Important

The local certificate you create by following these instructions will need to be refreshed every year, while the root CA and intermediate CA are good for 10 years.

Download the Fortinet Certificates

1. Create a new working directory and change to that directory. For example:

   mkdir rcfortinet
   cd rcfortinet

2. In the FortiAnalyzer GUI, go to System Settings > Certificates and download the Fortinet_CA and Fortinet_SUBCA certificates.
   

3. Copy the downloaded Fortinet_CA and Fortinet_SUBCA certificates to your working directory. For example:

   mv ~/Downloads/Fortinet_CA.cer ./
   mv ~/Downloads/Fortinet_SUBCA.cer ./ 

Generate the Root CA

Important

You must have OpenSSL version 3.1 or later installed to complete these steps. Note that recent macOS versions use the LibreSSL library for openssh commands, which won’t work correctly with these instructions.

1. Create the root CA private key:

   openssl genrsa -out rootCA.key 4096

2. Create the root CA public certificate:

   openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.pem

   You’ll be prompted to enter a series of values to describe the certificate. Not all the fields are required but you need to fill out at least Country Name, State or Province Name, and Organization Name. You should also provide a Common Name identifier for the certificate, which can be any value. For example:

   Common Name:RedCanaryCA

You’ll upload the resulting rootCA.pem file to the FortiAnalyzer later.

Generate the Intermediate CA

1. Create the intermediate CA private key:

   openssl genrsa -out intermediateCA.key 4096

2. Use a text editor to create an intermediateCA.cnf configuration file:

   [req]
   default_bits       = 2048
   prompt             = no
   default_md         = sha256
   distinguished_name = dn
   x509_extensions    = v3_ca
   [dn]
   CN = Red Canary Intermediate CA    # Name the intermediate CA as desired
   [v3_ca]
   subjectKeyIdentifier=hash
   authorityKeyIdentifier=keyid:always,issuer
   basicConstraints = critical, CA:true
   keyUsage = critical, digitalSignature, cRLSign, keyCertSign

3. Generate the intermediate CA CSR (Certificate Signing Request):

   openssl req -new -key intermediateCA.key -out intermediateCA.csr -config intermediateCA.cnf

4. Sign the intermediate CA CSR with the root CA:

   openssl x509 -req -in intermediateCA.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out intermediateCA.pem -days 3650 -sha256 -extfile intermediateCA.cnf -extensions v3_ca

   You’ll upload the resulting intermediateCA.pem file to the FortiAnalyzer later.

Generate a Local Certificate for the Red Canary Collector

1. Create the local certificate private key:

   openssl genrsa -out server.key 2048

2. Create a server.cnf configuration file for the Local Certificate, using the Red Canary Collector FQDN for the CN and DNS values:

   [req]
   default_bits       = 2048
   prompt             = no
   default_md         = sha256
   distinguished_name = dn
   req_extensions     = req_ext
   [dn]
   CN = prod1-use2-b7c04b26.prod1.collectors.redcanary.io   # Red Canary Collector FQDN
   [req_ext]
   subjectAltName =  @alt_names
   keyUsage = critical, digitalSignature, keyAgreement
   extendedKeyUsage = serverAuth, clientAuth
   [alt_names]
   DNS = prod1-use2-b7c04b26.prod1.collectors.redcanary.io  # Red Canary Collector FQDN

3. Generate the CSR for the local certificate:

   openssl req -new -key server.key -out server.csr -config server.cnf

4. Sign the local certificate CSR with the intermediate CA:

   openssl x509 -req -in server.csr -CA intermediateCA.pem -CAkey intermediateCA.key -CAcreateserial -out server.crt -days 365 -sha256 -extfile server.cnf -extensions req_ext

5. Convert the local certificate to PEM format:

   openssl x509 -in server.crt -out server.pem -outform PEM

You’ll upload the resulting server.key and server.pem files to Red Canary later.

Create the CA Bundle

1. Concatenate the certificate chain into a single file:

   cat intermediateCA.pem Fortinet_SUBCA.cer Fortinet_CA.cer > ca-bundle.pem

You’ll upload the resulting ca-bundle.pem file to Red Canary later.

Note

The certificates in the command must ordered correctly (Intermediate > Fortinet SUBCA > Fortinet CA)

After you’ve created the root CA and intermediate CA certificates, you can upload them to the FortiAnalyzer.

1. In the FortiAnalyzer GUI, go to System Settings > Certificates.

2. Click the + Create New/Import button and select the CA Certificate option.
   

3. Upload both the rootCA certificate (rootCA.pem) and the intermediateCA certificate (intermediateCA.pem) you created earlier. Give each certificate a name to identify it in the FortiAnalyzer GUI.
   

4. Make sure both the certificates now appear under the Local CA Certificate section.
   

5. Restart the log forwarding service by opening the FortiAnalyzer CLI console and entering the following command:

   diag test application logfwd 99

   

After you’ve created the local certificates and the CA bundle, you need to upload them to Red Canary in order to start receiving FortiAnalyzer alerts.

1. In the Configure Red Canary to retrieve data from this integration section, go to Section 2b (Send data to Red Canary) and check the I’ve configured this integration to send data to Red Canary box. (This confirms that you’ve completed the Configure FortiAnalyzer Log Forwarding steps above.)

2. Go to Section 2c (Configure Transport encryption) and upload the certificate files as follows:

   • Under Upload a certificate, private key, and optional password, choose the server.pem file

   • Under Upload the corresponding private key file, choose the server.key file

   • Under Upload the CA certificate, choose the ca-bundle.pem file

   

3. Click Next to upload the files.

[OPTIONAL] In the Customize how data from this integration is handled section, enable Process Correlation if appropriate.

What is Process Correlation?

If a third-party alert platform lets you create your own rules to trigger alerts, Red Canary can correlate with the rule metadata when it displays the alerts in the timeline. To conserve API bandwidth and compute cycles, process correlation for user-defined alerts is disabled by default.

After you’ve finished the configuration and uploaded the TLS certificates, click Save to activate the integration.

The FortiAnalyzer integration is now live!

You should see FortiAnalyzer alerts start appearing in Red Canary within 24 hours.

Once the FortiAnalyzer integration is active, the only routine maintenance task is to replace the TLS certificates when they expire. However, you’ll need to modify the configuration if you want to deactivate or remove the integration.

To modify the configuration:

1. From your Red Canary homepage, go to the Integrations page then click on the name of the integration you want to modify.
   

Uploading a TLS New Certificate

1. Go to the Configure Red Canary to retrieve data from this integration section and review the details of the existing certificate.
   

2. To upload a new certificate, follow the instructions in Step 7 above.

Deactivating the Integration

To suspend alerts for this integration, click the button. The status displayed on the Integrations page changes to “Inactive” and no alerts will be passed to Red Canary. If necessary, you can reactivate it later by clicking .

Note

Deactivating or reactivating the integration takes effect immediately. You don’t need to click Save to confirm the action.

Decommissioning the Integration

To remove the integration from Red Canary, click the button then click OK to confirm.

Important

If you decommission the integration, no new alerts will be sent to Red Canary and all processed alerts will be deleted. This action cannot be undone.