Fortinet FortiGate VDOM

If the log setting "FortiCloud" is enabled on a Fortinet device, it will send logs only to FortiCloud and not to any other syslog servers that have been configured.

To add a FortiGate VDOM device, complete the following steps.

Step 1: Configure the Device

FireMon strives to provide up-to-date product information, however we are not always aware when vendors change their device UI. If any Configure the Device procedure differs from your device version (UI location of fields, not information needed), please consult your device's user guide.

  1. On the Fortinet FortiGate device, add a global super administrator account. If you plan to monitor multiple VDOMs on the device, please create this account only once; the data collector will use the same account to retrieve information from each VDOM on the unit. You can complete this step in either the Fortinet web UI or in the CLI.
    1. Web UI setup:
      1. Log into the Fortinet user interface with super administrator credentials.
      2. In the Navigation, go to System > Admin > Administrators > Create New.
      3. Create a regular local user with the profile super_admin. This profile allows the configuration to be read by the data collector.
    2. CLI setup:

      1. Connect to the Fortinet device using Secure Shell (SSH).

      2. Create a regular local user with a super_admin profile with the following commands, replacing username and password with the user name and password for the new account.

        Copy
        config global
        config system admin user
         edit username
         set password password
         set accprofile super_admin
        end

      Note If you change the user name and password on your device in the future, you will need to manually update these credentials in Administration. Data retrieval will fail if the data collector cannot log into the monitored device.

  2. Forward syslog data from the Fortinet device to the data collector. Basic syslog settings can be entered through the Fortinet web UI. However, because it provides additional servers and more options, we recommend using the CLI.
    1. Connect to the Fortinet device using Secure Shell (SSH).

    1. Modify logging and traffic settings replacing DATA_COLLECTOR_IP_ADDRESS with the IP address of the data collector that will be receiving syslog data.

      Copy
      config global
      config log syslogd setting
       set status enable
      set csv disable
       set server DATA_COLLECTOR_IP_ADDRESS
      end

    1. If you currently have "other" traffic enabled, we recommend that you disable it to prevent excessive data from being generated and to reduce performance impacts.

      Copy
      config global
      config log syslogd filter
       set other-traffic disable
      end

  3. Restart the data collector by running the following commands.

    fmos restart

  1. Create a representation of the central syslog server that this device logs to. If you have multiple central syslog servers, each server should be created in Administration only once.

Step 2: Add the Device in the Administration Module

  1. On the toolbar, click Device > Devices.
  2. Click Create, and then click Fortinet > FortiGate Firewall VDOM.
  1. General Properties section.

To prevent errors in device group-level device maps and incorrect reporting data, all devices added in Administration must have unique IP addresses. If devices with duplicate IP addresses must be added within a domain, it is strongly recommended that those devices be separated into discrete device groups, where no duplicate IP addresses are included in the same device group. Devices with duplicate IP addresses will cause errors in the All Devices device map, and may cause incorrect data in reports, even if they are in discrete device groups.

  1. In the Name box, type the name of the device as you want to see it in SIP.
  2. In the Description box, type an optional description of the device being added.
  3. In the Management IP Address box, type the IP address of the device.
  4. In the Data Collector Group box, select the IP address of the data collector group that will collect data from this device.
  5. In the Central Syslog Server box, select the syslog server from the list (optional).

Syslog fields are optional if the device uses the same IP for syslog and management.
A central syslog server is required only if syslog messages come from a different IP. A central syslog server must be created before it can be assigned to a device. To track usage via syslog, the device must support Level 3+.

  1. In the Syslog Match Names box, type the syslog match name (optional). You can enter multiple comma-separated names.
  2. By default, the Automatically Retrieve Configuration check box is selected.
  3. In the External ID box, type a unique identifier to be used when the device identifier is different than what is displayed in SIP.
  1. Collection Configuration is enabled on the management station or by duplicating and then editing the default configuration (DeviceCollection Configuration). Default is what is set on the installed device pack.
  1. Device Settings section.
  1. Managed By will display the management station name and ADOM Name will be provided, if this device is being managed.
  2. In the VDOM Name box, type the name of the VDOM device.

Credentials

  1. In the User Name box, type the user name for the super_admin account.
  2. In the Password box, type the password used for the super_admin account.
  3. In the Re-enter Password box, retype the password entered above.

Retrieval

  • Select a Method for retrieval. Automation requires use of From Server retrieval method. When method is set to From Server retrieval parameters are set in the Managed By device's settings.
  1. Policy Automation section.
    • Select the Suppress FQDN Capabilities check box to use an IP address instead of FQDN when creating network objects.
    • REST Port is set to 443 by default.
    • Standalone Fortigate firewalls not managed by a Fortimanager will need an Authorization token.
  1. Monitoring section.

    Log Monitoring

By default, the Enable Log Monitoring check box is selected. To disable this automatic function, clear the check box.

  • By default, the Log Update Interval is set to 10 minutes.

    Change Monitoring

By default, the Enable Change Monitoring check box is selected.

  • Enter an optional Alternate Syslog Source IP.

Select the Perform Change Verification check box to allow the Data Collector to verify there are actual changes prior to posting a revision to Security Manager. This will enable more efficient use of disk space by not posting revisions that did not change from the last normalized revision.

  1. Retrieval section.

Scheduled Retrieval

Select the Enable Scheduled Retrieval check box to perform a retrieval at a set time daily regardless of change.

  • The default Check for Change Interval time is 1440 minutes (every 24 hours). You can change the check interval time to best fit your requirements. The minimum required interval is 60 minutes (1 hour).
  • Set an optional time in the Check for Change Start Time box. To schedule the first retrieval for a specific time, select the Starting at check box and select a time. The first retrieval will run at the time you enter. All subsequent retrievals will occur at the interval you entered above, based on the time that the first retrieval occurred. If you do not select a Change Start Time, the first scheduled retrieval will occur immediately after you save the settings. Subsequent retrievals will occur at the interval you entered.

Check for Change Retrieval

Select the Enable Check for Change check box to enable checking for configuration changes after the specified interval, and perform a retrieval is changes are detected.

  1. Advanced section.
    • File Retrieval Options:
      • Select the Use Batch Config Retrieval check box only if you are manually sending configurations for this device using your data collector's batchconfig directory. While this option is enabled, online retrievals will be disabled.
      • Select the Disable Route File Retrieval check box only if you want to disable this automatic function. Disabling route file retrievals tells the Data Collector to not retrieve the route files from that specific device. This option can be selected when route files cause a timeout on retrieval or make normalization take longer than normal.
    • SSH Key Options: Select the Automatically Update SSH Keys check box if you want the data collector to automatically update the SSH key for a device when a conflict occurs.
    • Virtual Domain Options: Select the Disable Virtual Domain Check to disable the virtual domain check in order to monitor virtual domains as standalone firewalls.
    • Advanced Retrieval Settings:
      • Select a Device Charset Encoding from the list.
      • The Configuration Retrieval Timeout (seconds) is set to 600 seconds and is the time to wait for a response during a retrieval.
      • Select the Enable Deprecated Ciphers and Algorithms check box to allow the use of weak SSH keys to extend the OpenSSH options with deprecated ciphers and algorithms for devices that cannot update the OS to a supported OpenSSH version.
  2. Enforcement section. For Policy Planner users only.

Select one of the available enforcement options:

  •  Allow All: All automation is allowed (enforcement, change, manual).

  • Manual Only: When selected all changes must be manually pushed for this device.

  •  Prevent All: No automation is allowed.

  • Window Only: Automation can only take place in the assigned enforcement window.

If this device is assigned to an enforcement or change window, it will be listed. If no assignment, changes must be manually pushed for this device.

  1. Supplemental Routes section.

Supplemental routes cannot be added until after a retrieval normalizes successfully. You can perform a manual retrieval before continuing.

  1. Click Add.

  2. Complete fields in the Add Supplemental Routes dialog box:

  • Select an Interface.

If you select an Interface, you will not need to select a virtual router and next virtual router. If no interface is selected, you will need to select a Virtual Router and Next Virtual Router.

  • Type the Destination IP address.
  • Type the Gateway IP address.
  • Select a Virtual Router.
  • Select a Next Virtual Router.
  • Switch the Drop toggle to enable (disabled = Accept).
  • Click Add.
  1. Click Save.

Step 3: Verify Communication

Because automatically retrieving a configuration is enabled by default, there is nothing for you to do. Security Manager will automatically attempt to retrieve a device configuration.

To do a manual retrieval, select the device row, click the Menu icon and then click Retrieve Configuration.

It may take up to 15 minutes to see the status result of the retrieval.