Firewalls
Syslog Forwarding Setup for ThreatDefence Integration
Step 1: Configure Syslog Forwarding
- Access Syslog Device Dashboard:
- Log in to your web application for your firewall/device.
- Navigate to Configuration:
- Locate the configuration settings for syslog forwarding. This may be under a section titled "Logging" or "Syslog Configuration."
- Define Forwarding Rule:
- Create a new forwarding rule to send syslog data to an external destination.
- Specify the destination IP address of your ThreatDefence forwarder/sensor.
- Choose UDP as the protocol and specify the port number. For example:
- For FortiGate: Use UDP Port 60000.
- For Sophos: Use UDP port 60001.
- For each additional device, increment the port number (e.g., 60002udp, 60003udp, etc.).
- Save Configuration:
- Save the configuration settings to apply the syslog forwarding rule.
Step 2: Configure Syslog Forwarding
- Provide Device Information:
- Once syslog forwarding is set up and verified, provide ThreatDefence with the necessary information about each device being forwarded:
- Device Type (e.g., FortiGate, Sophos).
- Syslog Forwarder IP address.
- Assigned UDP port number.
- Once syslog forwarding is set up and verified, provide ThreatDefence with the necessary information about each device being forwarded:
- Complete Onboarding Process:
- ThreatDefence will complete the onboarding process for each device, ensuring that syslog data is properly ingested and correlated within the platform
info
Note: The syslog server needs to have outbound connectivity to tele.threatdefence.io and vle.threatdefence.io on TCP port 443. To confirm if the connection is working you can ssh to the syslog server with the credentials set during prior setup and run the below commands:
nc -zv vle.threatdefence.io 443curl tele.threatdefence.io
Related Articles: