15 Minutes to Configure a Splunk Dashboard for Fortigate Firewalls

Lets check how powerful Splunk is. Within 15 minutes, we are able to configure a nice Splunk Dashboard to analyze Fortigate firewall. Related post @ https://blog.51sec.org/2018/10/splunk-tips-and-tricks.html Subscribe me: https://www.youtube.com/c/Netsec?sub_confirmation=1 =============================Scripts =================== There are some steps we have to do before we can start to work on Fortigate App dashboard. 1. Configure Fortigate to send logs to our Splunk instance. 1.1 make sure all fireall rules configured to log all sessions, not only security sessions. 1.2 configure log&report log option.Make sure enabled "Send logs to Syslog" type your Splunk server ip address into IP Address / FQDN textbox. make sure enabled Event logging and local traffic log based on your requirements. Apply 2. Install Splunk Fortinet App and Add-on. 2.1 Download Splunk Fortinet App and Add-on We are only able to find Fortinet Fortigate Add-on for Splunk. But there is no App which used to be available to be download from Splunk App Center. Lets search it from Splunkbase website.It is in Splunkbase but you will have to login to download it then manual install it. 2.2 Install Splunk Fortinet App and Add-on Unfortunately, it will show nothing although all of your data is in the Splunk. 3. Configure Splunk to take Fortigate 60D Syslog Data 3.1 Create a index and datasource 3.2 Create a syslog data input It is udp 514. 3.3 Please make sure your firewall is allowed udp 514 from your fortigate device to your splunk. In my case, it has been already allowed. 4. Configure Fortinet APP to analyze all logs in default dashboard Now all logs are flowing into Splunk. Unfortunately, by default Fortinet App wont be able to search and generate nice report for all logs. we will work on two tabs , Fortinet Network Security tab and Traffic tab. Other tabs are same to configure once you know how to get those two tabs working. 4.1 Here are some adjusement for Fortinet Network Security tab 4.1.1 we will have to use type="traffic" AND index="fortinet" to replace "fgt_traffic" 4.1.2 For session numbers in 10 minutes, we will have to use sessionid to replace session_id 4.1.3 We will use type="utm" to replace "fgt_utm" , and use apprisk to replace severity 4.2 Traffic Dashboard Traffic Dashboard is different from previous Fortinet Network Security dashboard. It is using data model and a macro (ftnt_dropdown) to complete the search and populate the data into this dashboard. Lets go through them one by one 4.2.1 Data Model Before we can edit Data Model Fortinet FOS Log, we have to disable acceleration. We will need to change Constraints from fgt_logs to index="fortinet" the Constraint for traffic logs is correct. 4.2.2 Change macros remove summariesonly=true ======================================================= Recording IT life Blog: https://51sec.org