FortiGate Integration
This guide covers how to configure Fortinet FortiGate firewalls to forward security logs to the KYRA MDR Collector via syslog.
Supported versions: FortiOS 6.4, 7.0, 7.2, 7.4+
Prerequisites
- A KYRA MDR Collector installed and running (Installation Guide)
- FortiGate administrative access (CLI or GUI)
- Network connectivity from the FortiGate to the collector on port 514
Step 1: Enable Syslog on FortiGate (GUI)
- Log in to the FortiGate web console
- Navigate to Log & Report > Log Settings
- Under Remote Logging and Archiving, enable Send Logs to Syslog
- Configure the following:
| Setting | Value |
|---|---|
| IP Address/FQDN | Your KYRA Collector IP (e.g., 10.0.1.50) |
| Port | 514 |
| Server Type | Syslog |
| Minimum Log Level | Information |
| Facility | local7 (recommended) |
- Click Apply
Step 2: Enable Syslog on FortiGate (CLI)
Connect to the FortiGate CLI and run:
config log syslogd setting set status enable set server "10.0.1.50" set port 514 set facility local7 set source-ip "" set format default set mode udpendFor reliable delivery using TCP:
config log syslogd setting set status enable set server "10.0.1.50" set port 514 set mode reliableendNote:
reliablemode uses TCP, which prevents log loss during network congestion. Recommended for production deployments.
Step 3: Configure Log Categories
Enable the log types that matter for security monitoring:
config log syslogd filter set severity information set forward-traffic enable set local-traffic enable set multicast-traffic enable set anomaly enable set voip disable set filter "" set filter-type includeendRecommended Log Types
| Log Type | CLI Setting | Why It Matters |
|---|---|---|
| Traffic | forward-traffic enable | Network flow visibility, lateral movement detection |
| UTM/Security | Enabled by default | IPS, AV, web filter, application control events |
| Event | Enabled by default | Admin logins, config changes, HA failovers |
| Anomaly | anomaly enable | DoS detection, protocol anomalies |
| DNS | dns enable (FortiOS 7.0+) | DNS tunneling, C2 detection |
Enable DNS Logging (FortiOS 7.0+)
config log syslogd filter set dns enableendStep 4: Configure a Second Syslog Server (Optional)
FortiGate supports up to four syslog servers. To add KYRA as a secondary destination:
config log syslogd2 setting set status enable set server "10.0.1.50" set port 514 set mode reliableendStep 5: Verify Logs Are Flowing
On the FortiGate
Check that syslog is active:
diagnose log testThis sends a test log entry. Then verify the connection status:
get log syslogd settingConfirm server and status are correct.
On the KYRA Collector
Check that events are arriving:
# View incoming syslog trafficsudo tcpdump -i any port 514 -c 10
# Check collector logssudo journalctl -u kyra-collector --since "5 minutes ago" | grep -i fortiIn the KYRA Console
- Go to Log Search
- Search for
source_type:fortigateor filter by your FortiGate’s IP address - You should see firewall traffic, UTM events, and system events
- Go to Dashboard to confirm event ingestion metrics are increasing
FortiGate Log Format Reference
KYRA MDR automatically parses FortiGate log formats. Key fields extracted:
| FortiGate Field | KYRA MDR Field | Description |
|---|---|---|
srcip | source.ip | Source IP address |
dstip | destination.ip | Destination IP address |
action | event.action | allow, deny, drop, etc. |
attack | threat.name | IPS signature name |
severity | event.severity | critical, high, medium, low |
logid | event.id | FortiGate log identifier |
devname | observer.name | FortiGate hostname |
policyid | rule.id | Firewall policy ID |
Detection Rules
KYRA MDR includes built-in detection rules for FortiGate events:
| Detection | MITRE ATT&CK | Description |
|---|---|---|
| Brute Force Admin Login | T1110 | Multiple failed admin login attempts |
| Configuration Change | T1562.001 | Firewall policy or setting modifications |
| IPS Critical Alert | Various | High-severity IPS signature matches |
| VPN Anomaly | T1133 | Unusual VPN login patterns (geo, time) |
| DNS Tunneling | T1071.004 | Suspicious DNS query patterns |
| Policy Deny Spike | T1046 | Sudden increase in denied traffic (port scan) |
Troubleshooting
No Logs Received
- Firewall rules: Ensure no ACL between the FortiGate and collector blocks port 514
- Syslog status: Run
get log syslogd setting— confirmstatusisenable - Correct IP: Verify the syslog server IP matches your collector’s IP
- Log level: If set to
warningor above, informational events are dropped. Set toinformation
Partial Logs
- Missing traffic logs: Check
forward-trafficisenablein the syslog filter - Missing DNS logs: DNS logging requires FortiOS 7.0+ and explicit enablement
- Missing UTM logs: Ensure security profiles (IPS, AV, Web Filter) are applied to firewall policies
High Log Volume
FortiGate can generate significant log volume. To reduce noise:
config log syslogd filter set severity warning set forward-traffic disable set anomaly enableendWarning: Disabling traffic logs reduces detection coverage. Only do this if volume is a concern. Consider upgrading your KYRA MDR plan for higher EPS limits.