Fortigate

LogZilla App Store application: Fortigate

Overview

Fortigate is a line of firewall devices produced by Fortinet. FortiGate Next Generation Firewalls enable security-driven networking and consolidate security capabilities such as intrusion prevention system (IPS), web filtering, secure sockets layer (SSL) inspection, and automated threat protection.

App Function

  • Parse Fortigate key/value pair log format
  • Extract high-value tags for analysis and alerting
  • Provide dashboards for traffic, UTM, and event monitoring
  • Provide triggers for security alerts

Vendor Documentation

Device Configuration

Configure the Fortigate device to send syslog messages to LogZilla:

  1. Log into the Fortigate web interface
  2. Navigate to Log & Report in the left sidebar
  3. Click Log Settings
  4. In the Remote Logging and Archiving section:
    • Toggle Send logs to syslog to Enabled
    • Enter the LogZilla server IP address or FQDN in the IP Address/FQDN field
    • Leave the default syslog port (514) unless LogZilla is configured differently
  5. In the Log Settings section:
    • Set Local Traffic Log to All (recommended) or Customize based on requirements
    • Set Event Logging to All or Customize as needed
  6. Click Apply to save the configuration

Verification

Generate network traffic through the Fortigate, then verify events appear in LogZilla with the program name Fortigate.

Fortigate Configuration

Incoming Log Format

Fortigate log messages consist of key/value pairs:

text
date=YYYY-MM-DD time=HH:MM:SS type="value" subtype="value" key="value" ...
  • date/time - Timestamp fields (removed during processing)
  • type - Log type (traffic, utm, event)
  • subtype - Log subtype (forward, virus, webfilter, user, etc.)
  • key=value - Additional fields vary by event type

Parsed Metadata Fields

The app extracts high-value fields from Fortigate logs using standardized tag names for cross-vendor compatibility.

Global Tags

TagExampleDescription
VendorFortinetVendor name
ProductFortiGateProduct name
Event ClasssecurityCross-vendor classification
Event TypeintrusionSpecific event type (login_failure, malware, intrusion, access_denied)
MitreIdT1190MITRE ATT&CK technique ID
MITRE TacticInitial AccessMITRE ATT&CK tactic

Standardized Tags

TagExampleDescription
SrcIP10.1.100.11Source IP address
DstIP172.16.200.55Destination IP address
DstPorthttpsDestination port (translated to service name)
UserbobUsername
ActionblockedAction taken
SrcIntport12Source interface
DstIntport11Destination interface

Fortigate-Specific Tags

TagExampleDescription
Fortigate TypetrafficLog type (traffic, utm, event)
Fortigate SubtypeforwardLog subtype
Fortigate StatussuccessEvent status
Fortigate ServiceHTTPService name
Fortigate VDOMvdom1Virtual domain
Fortigate AttackSQL.InjectionAttack name (IPS events)
Fortigate VirusEICAR_TEST_FILEDetected virus name
Fortigate CategoryMalicious WebsitesWeb filter category
Fortigate Profileg-defaultSecurity profile name

Log Examples

Block SSL Traffic

text
date=2019-03-28 time=10:57:42 logid="1700062053" type="utm" subtype="ssl"
eventtype="ssl-anomalies" level="warning" vd="vdom1" policyid=1
sessionid=11424 service="SMTPS" profile="block-unsupported-ssl"
srcip=10.1.100.66 srcport=41296 dstip=172.16.200.99 dstport=8080
srcintf="port2" dstintf="unknown-0" proto=6 action="blocked"
msg="Connection is blocked due to unsupported SSL traffic"
reason="malformed input"

Successful Authentication

text
date=2019-05-13 time=15:55:56 logid="0102043008" type="event" subtype="user"
level="notice" vd="root" srcip=10.1.100.11 dstip=172.16.200.55 policyid=1
interface="port10" user="bob" group="local-group1"
authproto="TELNET(10.1.100.11)" action="authentication" status="success"
reason="N/A" msg="User bob succeeded in authentication"

Web Access Denied

text
date=2019-05-13 time=16:29:45 logid="0316013056" type="utm"
subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="vdom1"
policyid=1 sessionid=381780 srcip=10.1.100.11 srcport=44258 srcintf="port12"
dstip=185.244.31.158 dstport=80 dstintf="port11" proto=6 service="HTTP"
hostname="morrishittu.ddns.net" profile="test-webfilter" action="blocked"
reqtype="direct" url="/" direction="outgoing"
msg="URL belongs to a denied category in policy" catdesc="Malicious Websites"

MITRE ATT&CK Mapping

Event TypeTechniqueTactic
IPS DetectionT1190Initial Access
Virus DetectionT1204Execution
Web Filter BlockT1071Command and Control
DLP ViolationT1048Exfiltration
App Control BlockT1071Command and Control
SSL InspectionT1573Command and Control
SSH InspectionT1021Lateral Movement
Auth FailureT1110Credential Access

Dashboards

DashboardDescription
FortiGate TrafficTraffic flow analysis and top talkers
FortiGate UTMSecurity events, blocks, and MITRE tactics
FortiGate EventSystem events, HA status, and authentication

Triggers

TriggerDescription
Fortigate: MITRE ATT&CK Threat DetectedEvents with MITRE technique mapping
Fortigate: Security BlockUTM block events (blocked, deny, dropped)
Fortigate: Virus DetectedAntivirus detection events
Fortigate: Intrusion DetectedIPS detection events
Fortigate: Web Filter BlockWeb filter block events
Fortigate: Authentication FailureFailed authentication attempts
Fortigate: VPN EventVPN connection events
Fortigate: HA State ChangeHigh availability state changes
Fortigate: Critical System EventCritical system events
Fortigate: DLP ViolationData leak prevention violations
Fortigate: Application Control BlockApplication control blocks
Fortigate | LogZilla Documentation