We're launching a new cybersecurity venture! Learn more about Snowbit >

Create an Account Request Demo

FortiGate FortiGate

Last Updated: Mar. 30, 2022

Fortinet traffic logs record the traffic flowing through your FortiGate unit, between FortiGate interfaces, zones, and VLAN sub-interfaces. Coralogix provides seamless integration with Fortigate traffic logs, with which you can easily collect all information about sessions processed by your FortiGate unit to Coralogix, analyze them, get automatic insights on top of them, create meaningful alerts, etc…

Using Filebeat

Prerequisites

This document includes cluster-dependent URLs. Each URL has a variable part (in Italic). Please match this part with a row entry within the following table. Copy the table row entry located under the column that matches the top level domain of your Coralogix account (.com, .in etc.). Replace the variable part of the URL with this entry.

 Elasticsearch-APISSL CertificatesCluster URL
.comhttps://coralogix-esapi.coralogix.com:9443https://coralogix-public.s3-eu-west-1.amazonaws.com/certificate/Coralogix-EU.crtcoralogix.com
.ushttps://esapi.coralogix.us:9443https://www.amazontrust.com/repository/AmazonRootCA1.pemcoralogix.us
.inhttps://es-api.app.coralogix.in:9443https://coralogix-public.s3-eu-west-1.amazonaws.com/certificate/Coralogix-IN.pemapp.coralogix.in
.eu2.https://es-api.eu2.coralogix.com:9443https://www.amazontrust.com/repository/AmazonRootCA1.pemapp.eu2.coralogix.com
sg.comhttps://es-api.coralogixsg.com:9443https://www.amazontrust.com/repository/AmazonRootCA1.pemapp.coralogixsg.com

General

Private Key – A unique ID that represents your company. The private key can be found under ‘settings’->’ send your logs’. It is located in the upper left corner.

Company Id – A unique number that represents your company. You can get your company id from the settings tab in the Coralogix dashboard.

Application Name – The name of your main application, for example, a company named “SuperData” would probably insert the “SuperData” string parameter or if they want to debug their test environment they might insert the “SuperData– Test”.

SubSystem Name – Your application probably has multiple subsystems, for example, Backend servers, Middleware, Frontend servers, etc. in order to help you examine the data you need, inserting the subsystem parameter is vital.

Configuration

If your Coralogix account top-level domain is different than ‘.com’ add these environment variables:

CORALOGIX_LOG_URL=https://api.Cluster URL/api/v1/logs

CORALOGIX_TIME_DELTA_URL=https://api.Cluster URL/sdk/v1/time

Open your Filebeat configuration file and configure it to use Logstash (Make sure you disable Elasticsearchoutput). For more information about configuring Filebeat to use Logstash please refer to https://www.elastic.co/guide/en/beats/filebeat/current/config-filebeat-logstash.html

Point your Filebeat to output to Coralogix Logstash server:

logstashserver.Cluster URL:5044

or if you want to use an encrypted connection (recommended):

logstashserver.Cluster URL:5015

Here is the Filebeat configuration file filebeat.yml:

#============================== Filebeat Inputs ===============================

filebeat.inputs:
- type: udp
  max_message_size: 10KiB
  host: "localhost:514"

fields_under_root: true
fields:
PRIVATE_KEY: "YOUR_PRIVATE_KEY"
COMPANY_ID: YOUR_COMPANY_ID
APP_NAME: "APP_NAME"
SUB_SYSTEM: "SUB_NAME"

#----------------------------- Logstash output --------------------------------

output.logstash:
enabled: true
hosts: ["logstashserver.Cluster URL:5015"]
ssl.certificate_authorities: ["<path to folder with certificates>/ca.crt"]

After starting your Filebeat server you should expect to receive your Fortinet traffic logs into Coralogix. For more information on installing and configuring Filebeat visit here.

Using Logstash

Prerequisites

General

Private Key – A unique ID that represents your company, this Id will be sent to your mail once you register to Coralogix.

Application Name – The name of your main application, for example, a company named “SuperData” would probably insert the “SuperData” string parameter or if they want to debug their test environment they might insert the “SuperData– Test”.

SubSystem Name – Your application probably has multiple subsystems, for example, Backend servers, Middleware, Frontend servers, etc. in order to help you examine the data you need, inserting the subsystem parameter is vital.

Configuration

If your Coralogix account top-level domain is different than ‘.com’ add these environment variables:

CORALOGIX_LOG_URL=https://api.Cluster URL/api/v1/logs

CORALOGIX_TIME_DELTA_URL=https://api.Cluster URL/sdk/v1/time

Open your Logstash configuration file and add Coralogix output. You should configure the input plugin to be UDP input.

Here is the Logstash pipeline configuration logstash.conf:

input {
  udp { 
    port => 514
  }
}
output {
  coralogix {
    config_params => {
      "PRIVATE_KEY" => "${CORALOGIX_PRIVATE_KEY}"
      "APP_NAME"    => "${CORALOGIX_APP_NAME}"
      "SUB_SYSTEM"  => "${CORALOGIX_SUB_SYSTEM}"
    }
    is_json => true
  }
}

After starting your Logstash server you should expect to receive your Fortinet traffic logs into Coralogix. For more information on installing and configuring Logstash visit here.

On this page