Integrate Fortinet FortiGate with Red Canary

Create a Red Canary provided-URL to send Fortinet FortiGate alerts for ingestion.

1. From your Red Canary homepage, click Integrations, and See all integrations.

   

2. Type and then select Fortinet FortiGate (NGFW).

   

3. Click Configure.

4. Enter a name for your external alert source.  

5. Select a display category.

6. From the Ingest Format/Method dropdown, select Fortinet FortiGate via Syslog.

7. Click Save Configuration.

8. Click Edit Configuration.

9. Click Activate.

10. After a few minutes, Red Canary will generate a URL (Collector ID) that you will use to input into your Fortinet FortiGate account.

    Example: prod1-use2-1234567.prod1.collectors.redcanary.io

    

Generate the necessary keys and Transport Layer Security (TLS) certificates that are used to configure the FortiGate platform to send Syslog events to Red Canary.

Note: Use PowerShell for Windows machines, and Linux or Terminal for Mac OS. The commands below are Linux-based. For the below commands you should be running OpenSSL version 3.1 or later. 

1. Open your native terminal.

2. Copy and run the command below to Generate Private Key for root CA:

   1. openssl genrsa -out rootCA.key 4096

3. Copy and run the command below to Generating the Public Key for Signing Certificates:

   1. openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.pem

   2. Enter the values requested.

      Note: You can leave all of these values at default if you want. The only entry that you NEED to enter is the CN.

   3. Enter an identifier when prompted for a Common Name (CN).

      Example: RedCanaryCA

4. Copy and run the command below to Generate Private Key:

   1. openssl genrsa -out server.key 2048

5. Create Server Config File. This file will get generated in the same file location that you are generating your Certificate files (i.e., whatever directory you’re in while running the openssl commands).

   Note: This config file describes the certificate request the certificate authority will then sign.

   1. Enter: vi server.cnf.

      1. Enter: vi server.cnf. 
         
         ## Inside the server.cnf please enter the following lines: 
         
         [req]
         default_bits = 2048
         prompt = no
         default_md = sha256
         req_extensions = req_ext
         distinguished_name = dn
         [dn]
         CN = #{COLLECTOR_FQDN} ###NOTE:this should be the collector FQDN - do not use the brackets
         [req_ext]
         subjectAltName = @alt_names
         keyUsage = critical, digitalSignature, keyAgreement
         extendedKeyUsage = serverAuth, clientAuth
         [alt_names]
         DNS.1 = #{COLLECTOR_FQDN}. ###NOTE:this should be the collector FQDN - do not use the brackets

6. Generating Certificate Signing Request by running the below command:

   1. openssl req -new -key server.key -out server.csr -config server.cnf

7. Copy and run the below command below to create a Red Canary client certificate using the CA Private key and CA Certificate from Steps 2.2.a and 2.3.a:

   1. openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 365 -sha256 -extfile server.cnf -extensions req_ext

Note: You may want to increase the Expire Days by using the -days flag in the above command. Currently it's set to 365 days.
If you used an ls command in the directory, you should have the following files:

• rootCA.key

• rootCA.pem

• rootCA.srl

• server.crt

• server.key

1. From your Fortinet FortiGate dashboard, click System.

2. Click Certificates.

3. Click Create/Import, and then click CA Certificate.

4. Click File.

5. Upload the rootCA.pem from Step 2.3.a.

6. Click OK. The new CA Certificate will be located under the Remote CA Certificate section. 

7. Click Create/Import, and then click Certificate.

8. Click Import Certificate, and then click Certificate.

9. Upload the server.key file from Step 2.4.a

10. Upload the server.crt file from Step 2.7.a

11. Enter a Certificate Name (Example: RedCanaryCert ).

    Note: This name needs to match the name you give when you configure your Secure Syslog settings, specifically, the set certificate command. See step 4.3 below.

12. Click Create, then OK. 

    

    The new certificate will be located under the Local Certificate list.

1. From your Fortinet FortiGate dashboard, click the CLI Console icon ( >_).

2. Enter config log syslogd setting in the Command Line Interface (CLI).

3. Type out the following lines:

   Note: Do not copy and paste the lines as this will cause an encoding issue:

   set status enable

   set server “InsertYourCollectorID.collectors.redcanary.io”

   set mode reliable

   set facility alert 

   set format cef 

   set priority default

   set ssl-min-proto-version TLSv1-2

   set certificate RedCanaryCert

   Note: The name you enter here needs to match the "Certificate Name" you entered on Step 3.11.

   set enc-algorithm high 

   set port [Port visible on Alert Source configuration modal

   end

   Note: If you run into "Command fail. Return code 61," further commands will fail, and you will need to close and rerun the CLI console again.

4. Press the Enter key.

Note: You may get a warning that the port has changed after entering the enc-algorithm high command. Make sure to set up the port value after you enter enc-algorithm high, as seen in the order above.

Connect your custom certificates to Red Canary in order to start receiving Fortinet FortiGate alerts.

1. From your Red Canary homepage, click Integrations.
   

2. Scroll down, and then select your third-party security source.

3. Click Edit Configuration.

4. Select Use custom TLS server certificate for ingest over TLS?

5. Upload the certificates from Step 2:

   1. Upload the server.crt file to the first upload section “Upload a certificate file (PEM or DER)”.

   2. Upload the server.key file to the second upload section “Upload the corresponding private key”.

   3. Upload the rootCA.pem file to the last upload location “Upload the CA certificate corresponding to your certificate (PEM or DER)”.

6. Click Save Configuration.

   Note: Please confirm that your configured DNS can resolve our collector.

For example, Fortinet FortiGuard labels our collector as “Category: Meaningless Content” which may be configured to be ignored by customer's config. 

1. From your Fortinet FortiGate command line, enter the following command: diag log test 

2. This should generate a number of different test logs. This will be enough to get some data sent to Red Canary.