Skip to main content
Red Canary help

Integrate Fortinet Fortigate with Red Canary

  • Updated .

This article leads you through the process of integrating Fortinet Fortigate with Red Canary. Follow the procedure from beginning to end.

Prerequisites 

Before you connect Fortinet Fortigate to Red Canary, make sure the following configuration requirement is met:

Step 1: Red Canary–Create your Red Canary generated URL

Create a Red Canary provided-URL to send Fortinet Fortigate alerts for ingestion.

  1. From your Red Canary homepage, click Integrations.
  2. From the Integrations section, locate and then click the security product you want to integrate with Red Canary.
    Note: If you do not see your security product listed, click See all integrations.
     
  3. In the search bar, type and then select your third-party security source.
  4. Continue onto the next step by configuring your third-party security source in Red Canary.
    Note: Your third-party security source may require that you contact Red Canary to configure.
  5. Enter a name for your external alert source.  
  6. Select a display category.
  7. From the Ingest Format/Method dropdown, select Fortinet Fortigate via Syslog
  8. Click Save Configuration.
  9. Click Edit Configuration.
  10. Click Activate.
  11. After a few minutes, Red Canary will generate a URL (Collector ID) that you will use to input into your Fortinet Fortigate account.
    Example: prod1-use2-1234567.prod1.collectors.redcanary.io
    New.png

Step 2: Command Line–Generate passphrase keys and TLS certificates

Generate the necessary keys and Transport Layer Security (TLS) certificates that are used to configure the Fortigate platform to send syslogs to Red Canary.

Note: Use PowerShell for Windows machines, and Linux or Terminal for Mac OS. The commands below are Linux-based.

  1. Open your native terminal.
  2. Copy and run the command below to generate a Certificate Authority (CA) Private Key:

    openssl genrsa -aes256 -out fgcaprivkey.pem 2048

    1. Enter a passphrase for the key. 
    2. Copy the passphrase. You’ll use this to connect Fortinet Fortigate to Red Canary. 
  3. Copy and run the command below to generate the Certificate Authority Certificate:

    openssl req -new -x509 -days 3650 -extensions v3_ca -key fgcaprivkey.pem -out fgcacert.pem

    1. Enter the values requested.
    2. Enter an identifier when prompted for a Common Name (CN).
      Example: RedCanaryCA
      Note: Some OSs have issues with the v3_ca extension. Please follow these instructions if needed.
  4. Copy and run the command below to generate a Client Certificate Private Key:

    openssl genrsa -out InsertYourCollectorID.collectors.redcanary.io.key 2048

    1. Enter a passphrase for the key. 
    2. Copy the passphrase.
  5. Copy and run the command below to generate a Client Certificate Signing Request:

    openssl req -new -key InsertYourCollectorID.collectors.redcanary.io.key -out InsertYourCollectorID.collectors.redcanary.io.csr

    CN: InsertYourCollectorID.collectors.redcanary.io

    1. Enter the Fully Qualified Domain Name (FQDN) of the collector when prompted for a Common Name (CN).
  6. Copy and run the command below to create a Red Canary client certificate using the CA Private key and CA Certificate from Steps 2.2 and 2.3:

    openssl x509 -req -in InsertYourCollectorID.collectors.redcanary.io.csr -CA fgcacert.pem -CAkey fgcaprivkey.pem -CAcreateserial -out InsertYourCollectorID.collectors.redcanary.io.crt -days 500 -sha256

    Note: If you used an ls command in the directory, you should have the following files:

    fgcaprivkey.pem

    fgcacert.pem

    InsertYourCollectorID.collectors.redcanary.io.key

    InsertYourCollectorID.collectors.redcanary.io.csr

    InsertYourCollectorID.collectors.redcanary.io.crt

  7.  With your passkeys and TLS certificates generated, log in to Fortigate.

Step 3: Fortinet Fortigate–Import certificates to Fortinet Fortigate

  1. From your Fortinet Fortigate dashboard, click System.
  2. Click Certificates.
  3. Click Create/Import, and then click CA Certificate.
  4. Click File.
  5. Upload the fgcacert.pem from Step 2.2.
  6. Click OK. The new CA Certificate will be located under the Local CA Certificate section. 
  7. Click Create/Import, and then click Certificate.
  8. Click Import Certificate, and then click Certificate.
  9. Upload the InsertYourCollectorID.collectors.redcanary.io.key file from Step 2.4 under "Key file".
  10. Upload the InsertYourCollectorID.collectors.redcanary.io.crt file from Step 2.6 under "Certificate file".
  11. Enter the password you set for the key in Step 2.4.
  12. Click Save
  13. Enter a Certificate Name.
    Example: RedCanaryCert
  14. Click Create
    Import_certificate.png

The new certificate will be located under the Local Certificate list.

Step 4: Fortinet Fortigate–Configure Fortinet Fortigate for secure syslog

  1. From your Fortinet Fortigate dashboard, click the CLI Console icon ( >_).
  2. Enter config log syslogd setting in the Command Line Interface (CLI).
  3. Type out the following lines (Note: Do not copy and paste the above lines as this will cause an encoding issue):

    set status enable

    set server “InsertYourCollectorID.collectors.redcanary.io”

    set mode reliable

    set facility alert 

    set format cef 

    set priority default

    set ssl-min-proto-version TLSv1-2

    set certificate “[Certificate name from step 3.13 [RedCanaryCert]”

    set enc-algorithm high 

    set port [Port visible on Alert Source configuration modal

    end

    Note: If you run into "Command fail. Return code 61," further commands will fail, and you will need to close and rerun the CLI console again.

  4. Press the Enter key.

Note: You may get a warning that the port has changed after entering the enc-algorithm high command. Make sure to set up the port value after you enter enc-algorithm high, as seen in the order above.

Step 5: Red Canary–Upload custom certificates to Red Canary

Connect your custom certificates to Red Canary in order to start receiving Fortinet Fortigate alerts.

  1. From your Red Canary homepage, click Integrations.

  2. Scroll down, and then select your third-party security source.
  3. Click Edit Configuration.
  4. Select Use custom TLS server certificate for ingest over TLS?
  5. Upload the certificates listed in Step 2:
    1. Upload a certificate file–Upload the .crt file.
    2. Upload the corresponding private key file–Upload the .key file.
    3. Enter the Private key passphrase used to generate the server key.
    4. Upload the CA certificate corresponding to your certificate–Upload the fgcacert.pem.
  6. Enter the passphrase from Step 2.4 in the field marked Private key passphrase.
  7. Click Save Configuration.

Note: Please confirm that your configured DNS can resolve our collector.

For example, Fortinet FortiGuard labels our collector as "Category: Meaningless Content" which may be configured to be ignored by customers config.

 

Comments

0 comments

Please sign in to leave a comment.