This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Integrating FortiAnalyzer or FortiGate into RSA Netwitness

HaithamAbuHejle
Beginner
Beginner

‎2019-01-23 10:28 AM

Dear All,

 

We have 5 Fortigate firewalls and one FortiAnalyzer, currently the firewalls send their logs into the FortiAnalyzer.

No we want to integrate the five firewalls into our RSA SIEM, question is:

 

Is it recommended that we integrate the five firewalls into our SIEM or integrate only the FortiAnalyzer (which  receives the logs from the five firewalls) into our SIEM is better? Please confirm and if there is a document for confirming it will be great.

 

Looking forward to hearing from you

 

Best regards,

Haitham

0 Likes
2 REPLIES 2

VincentWareham
Frequent Contributor Frequent Contributor
Frequent Contributor

‎2019-02-09 09:16 PM

Hello Haitham

 

There is no official document recommending either way, it all comes down to your personal preference.

 

Here are some thoughts you may consider when deciding.

 

If the FortiAnalyzer is able to handle receiving logs from the 5 Fortigate firewalls, and also relaying those logs to RSA NetWitness.  If NetWitness is successfully parsing (as device type fortinetmgr) all those logs to your satisfaction, then there is no need to change.

 

If however the logs are not completely parsed by NetWitness, then do a test sending the Fortigate firewall logs to be parsed by the fortinet parser, and see if it is better.

 

If the amount of traffic on the network is too much, or the load on the FortiAnalyzer is too much for it to cope, then consider having the Fortigate firewalls send their logs direct to NetWitness.  You then also have the option of spreading the Fortigate firewalls traffic to different NetWitness Log Decoders or VLCs, to spread the load in NetWitness.

 

Remember not to duplicate the same firewall logs in NetWitness by sending syslog from the FortiAnalyzer + the the same from the 5 Fortigate firewalls.

 

Reference: https://community.rsa.com/community/products/netwitness/parser-network/event-sources#F
Fortinet FortiAnalyzer    supported version=5.x    device parser=fortinetmgr    Syslog    Firewall, latest RSA Live release=12Oct2018
Fortinet FortiGate    supported version=2.8, 3.0, 4.0 MR1, 4.0 MR2, 5.x    device parser=fortinet    Syslog    Firewall, latest RSA Live release=30Jan2019

0 Likes

EricPartington
Employee
Employee

‎2019-02-11 11:27 AM

Also keep in mind Fortinet is one of the vendors that seems to change its logging formats with each code update.  If the log format from FortiAnalyzer is more stable than from the firewalls direct then I might choose that route. 

The odds that firewalls direct to NW will have altered format on code updates and break parsing is quite high with Fortigate (and then you need to wait for RSA to update the parsing to account for the change in format in the parser, QA and roll it out to all customers).

 

Some other considerations to know about with Fortigate specifically.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.