Monitoring Fortinet Firewalls (Fortigate)

Overview

This section describes monitoring standalone Fortinet firewalls for policy revision changes. The TOS features for these device are limited compared to a FortiManager device - see Fortinet Features. To monitor Fortimanager see Monitoring Fortinet FortiManager.

For TOS to show full accountability details (who made the policy changes and when the changes were made) and rule and object usage, you must also configure the device to send syslogs.

By default, Fortinet devices define an "all" object that will represent "any." Making changes to this object may cause Provisioning to fail on the device.

To see which TOS features are supported for your device, review the SecureTrack Features by Vendor.

Fortigate clusters

• In active-passive clusters, there may be temporary data loss during failover until TOS pulls a new revision. TOS only stores one log identifier, and this will be updated after a new revision is retrieved from the new active device.

• In active-active clusters, there may be data loss when pulling revisions because TOS only stores one log identifier. In active-active clusters, both devices send syslogs.

Prerequisites

• Select a user that has Read (Read Only, or Read/Write) permissions for all information on the Fortinet device. If your device has VDOMs, make sure that your RO user is configured correctly according to the official Fortinet documentation.

• If you are going to monitor clusters through individual firewalls, you must disable usage analysis and topology for the standby member. This will ensure proper routing and avoid duplicates in the Interactive Map.

• TOS and the monitored devices must be synchronized with the correct date and time, either manually or automatically. We recommend that you also configure the devices to resolve DNS queries.

Add a device

1. Select Fortinet > Fortigate:

   

2. Configure the device settings:

   

   • Name for Display

   • Domain: Available only if you have configured your system for managing multi-domains and All Domains is currently selected. Select the domain to which to add the device. The Domain can only be entered when adding a device; to change the Domain, you must migrate the device.

   • Get revisions from: One of the following:

     • IP Address: Revisions are retrieved automatically.

       Enter the IP of the management device. If the device is in a cluster, enter the VIP.

     • Offline File: (If available) Revisions are manually uploaded to TOS for Offline Analysis

   • ST server: In a distributed deployment, select which TOS cluster monitors this device (not shown in image)

   • To enable adding and monitoring Virtual Domains, select This device has Virtual Domains configured.

   Click Next.

3. Configure the TOS connection to the Fortinet device, according to the parameters required by the device.

   

   • Enter the authentication details needed to connect to the Fortinet device.
     • Username and password: Enter the device username and password
     • Enable password: Enter the password to give TOS elevated privileges on the device
   • Connection configuration: Select whether to use SSH (preferred) or Telnet. To use default settings (recommended in most cases), leave the Port number blank.
     The device must be configured to use SSH version 2.
4. Click Next.

5. In Monitoring Settings, do one of the following:

   

   • To use real-time monitoring and timing settings from the Timing page, select Default.

   Otherwise, select Custom and configure the monitoring mode and settings.

   Real-Time Monitoring: Requires syslog configuration. Select Custom settings::

   • 'Install policy' interval: When two or more Install Policy events for the same policy occur within this time interval, TOS combines the events into a single Install Policy revision (Default: 60 seconds)
   • Automatic fetch frequency: Frequency (in minutes) for automatic fetch 
   • Periodic Polling, select Custom settings and configure the Polling frequency: How often TOS fetches the configuration from each device.

     If you select 1 day, you can then select the exact time (hour and minute) for the daily polling.

6. Click Next. 
7. Save the configuration.

   The Fortinet device now appears in the Monitored Devices list.

Configure a monitored device

After you add a device, further configuration options are available.

Options vary depending on your environment.

Example

• Edit configuration: Use the wizard to modify selected device settings. See Add a Device in this topic.

• Delete this device: Type yes to confirm that you want to delete the device.

• Import Administrative Domains and Managed Devices

How do I get here?

SecureTrack > Monitoring > Manage Devices