Integrate Fortinet Fortigate with Red Canary
    • 24 Jul 2024
    • 5 Minutes to read
    • PDF

    Integrate Fortinet Fortigate with Red Canary

    • PDF

    Article summary

    Integrating Fortinet FortiGate with Red Canary enhances threat detection and response capabilities by combining advanced firewall protection with expert threat hunting. To integrate Fortinet FortiGate with Red Canary, follow the procedure below from beginning to end.

    Prerequisites

    Before you connect Fortinet Fortigate to Red Canary, make sure the following configuration requirement is met:

    • Make sure that you have OpenSSL (version 3.1 or higher) installed.

    • Confirm that your configured DNS can resolve our collector.

      For example, Fortinet FortiGuard labels our collector as Category: Meaningless Content which may be configured to be ignored by customers config.

    Step 1: Red Canary–Create your Red Canary generated URL

    Create a Red Canary provided-URL to send Fortinet Fortigate alerts for ingestion.

    1. From your Red Canary homepage, click Integrations, and See all integrations.

    2. Type and then select Fortinet Fortigate (NGFW).

    3. Click Configure.

    4. Enter a name for your external alert source.  

    5. Select a display category.

    6. From the Ingest Format/Method dropdown, select Fortinet Fortigate via Syslog.

    7. Click Save Configuration.

    8. Click Edit Configuration.

    9. Click Activate.

    10. After a few minutes, Red Canary will generate a URL (Collector ID) that you will use to input into your Fortinet Fortigate account.

      Example: prod1-use2-1234567.prod1.collectors.redcanary.io

      New.png

    Step 2: Command Line–Generate passphrase keys and TLS certificates

    Generate the necessary keys and Transport Layer Security (TLS) certificates that are used to configure the Fortigate platform to send syslogs to Red Canary.

    Note: Use PowerShell for Windows machines, and Linux or Terminal for Mac OS. The commands below are Linux-based. For the below commands you should be running OpenSSL version 3.1 or later. 

    1. Open your native terminal.

    2. Copy and run the command below to Generate Private Key for root CA:

      1. openssl genrsa -out rootCA.key 4096

    3. Copy and run the command below to Generating the Public Key for Signing Certificates:

      1. openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.pem

      2. Enter the values requested.

        Note: You can leave all of these values at default if you want. The only entry that you NEED to enter is the CN.

      3. Enter an identifier when prompted for a Common Name (CN).

        Example: RedCanaryCA

    4. Copy and run the command below to Generate Private Key:

      1. openssl genrsa -out server.key 2048

    5. Create Server Config File. This file will get generated in the same file location that you are generating your Certificate files (i.e., whatever directory you’re in while running the openssl commands).

      Note: This config file describes the certificate request the certificate authority will then sign.

      1. Enter: vi server.cnf.

        1. Enter: vi server.cnf. 
          
          ## Inside the server.cnf please enter the following lines: 
          
          [req]
          default_bits = 2048
          prompt = no
          default_md = sha256
          req_extensions = req_ext
          distinguished_name = dn
          [dn]
          CN = #{COLLECTOR_FQDN} ###NOTE:this should be the collector FQDN - do not use the brackets
          [req_ext]
          subjectAltName = @alt_names
          keyUsage = critical, digitalSignature, keyAgreement
          extendedKeyUsage = serverAuth, clientAuth
          [alt_names]
          DNS.1 = #{COLLECTOR_FQDN}. ###NOTE:this should be the collector FQDN - do not use the brackets
    6. Generating Certificate Signing Request by running the below command:

      1. openssl req -new -key server.key -out server.csr -config server.cnf

    7. Copy and run the below command below to create a Red Canary client certificate using the CA Private key and CA Certificate from Steps 2.2.a and 2.3.a:

      1. openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 365 -sha256 -extfile server.cnf -extensions req_ext

    Note: You may want to increase the Expire Days by using the -days flag in the above command. Currently it's set to 365 days.
    If you used an ls command in the directory, you should have the following files:

    • rootCA.key

    • rootCA.pem

    • rootCA.srl

    • server.crt

    • server.key

    Step 3: Fortinet Fortigate–Import certificates to Fortinet Fortigate

    1. From your Fortinet Fortigate dashboard, click System.

    2. Click Certificates.

    3. Click Create/Import, and then click CA Certificate.

    4. Click File.

    5. Upload the rootCA.pem from Step 2.3.a.

    6. Click OK. The new CA Certificate will be located under the Remote CA Certificate section. 

    7. Click Create/Import, and then click Certificate.

    8. Click Import Certificate, and then click Certificate.

    9. Upload the server.key file from Step 2.4.a

    10. Upload the server.crt file from Step 2.7.a

    11. Enter a Certificate Name (Example: RedCanaryCert ).

      Note: This name needs to match the name you give when you configure your Secure Syslog settings, specifically, the set certificate command. See step 4.3 below.

    12. Click Create, then OK

      The new certificate will be located under the Local Certificate list.

    Step 4: Fortinet Fortigate–Configure Fortinet Fortigate for secure syslog

    1. From your Fortinet Fortigate dashboard, click the CLI Console icon ( >_).

    2. Enter config log syslogd setting in the Command Line Interface (CLI).

    3. Type out the following lines:

      Note: Do not copy and paste the lines as this will cause an encoding issue:

      set status enable

      set server “InsertYourCollectorID.collectors.redcanary.io”

      set mode reliable

      set facility alert 

      set format cef 

      set priority default

      set ssl-min-proto-version TLSv1-2

      set certificate RedCanaryCert

      Note: The name you enter here needs to match the "Certificate Name" you entered on Step 3.11.

      set enc-algorithm high 

      set port [Port visible on Alert Source configuration modal

      end

      Note: If you run into "Command fail. Return code 61," further commands will fail, and you will need to close and rerun the CLI console again.

    4. Press the Enter key.

    Note: You may get a warning that the port has changed after entering the enc-algorithm high command. Make sure to set up the port value after you enter enc-algorithm high, as seen in the order above.

    Step 5: Red Canary - Upload Custom Certificates to Red Canary

    Connect your custom certificates to Red Canary in order to start receiving Fortinet Fortigate alerts.

    1. From your Red Canary homepage, click Integrations.

    2. Scroll down, and then select your third-party security source.

    3. Click Edit Configuration.

    4. Select Use custom TLS server certificate for ingest over TLS?

    5. Upload the certificates from Step 2:

      1. Upload the server.crt file to the first upload section “Upload a certificate file (PEM or DER)”.

      2. Upload the server.key file to the second upload section “Upload the corresponding private key”.

      3. Upload the rootCA.pem file to the last upload location “Upload the CA certificate corresponding to your certificate (PEM or DER)”.

    6. Click Save Configuration.

      Note: Please confirm that your configured DNS can resolve our collector.

    For example, Fortinet FortiGuard labels our collector as “Category: Meaningless Content” which may be configured to be ignored by customer's config. 

    Step 6: Run a Test to Ensure Red Canary is Receiving Your Syslog Data

    1. From your Fortinet Fortigate command line, enter the following command: diag log test 

    2. This should generate a number of different test logs. This will be enough to get some data sent to Red Canary.


    Was this article helpful?