cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Leveraging CEF with Azure Monitor Agent (AMA) for GCP-Hosted Fortinet Firewall and Syslog Forwarder,
By
VipulDabhi
Published Jan 08 2024 11:11 AM 3,781 Views
VipulDabhi
Microsoft
‎Jan 08 2024 11:11 AM

Leveraging CEF with Azure Monitor Agent (AMA) for GCP-Hosted Fortinet Firewall and Syslog Forwarder,

‎Jan 08 2024 11:11 AM

Understand What purpose this Blog Serves:

Let's break down the blog title to understand its purpose:

Leveraging CEF with Azure Monitor Agent (AMA) for GCP-Hosted Fortinet Firewall and Syslog Forwarder:

This part emphasizes using Common Event Format (CEF) with Azure Monitor Agent (AMA) for monitoring and analysing logs from Fortinet firewall and Syslog Forwarder hosted in Google Cloud Platform (GCP).

Connecting via Azure Arc:

Azure Arc is introduced to onboard non-Azure machines. This step ensures that even resources outside of Azure can be integrated into Azure's monitoring and security infrastructure.

Streaming Fortinet Logs to Microsoft Sentinel with Data Collection Rules:

The final objective is to establish a streamlined process for sending Fortinet logs to Microsoft Sentinel. Data Collection Rules are employed to manage and format the logs effectively.


The blog serves to guide readers on how to set up an efficient and integrated security and monitoring system that spans across different cloud platforms (Google Cloud in this case), leveraging Azure tools like Azure Monitor Agent, Azure Arc, and Microsoft Sentinel to enhance security and visibility by using CEF and Data Collection Rules for managing Fortinet logs.

Understanding Some Why’s:

Why this Blog?

  1. The AMA agent is New, old agent MMA, OMS, etc. will deprecate in 2024.
    Link: Migrate from legacy agents to Azure Monitor Agent - Azure Monitor | Microsoft Learn
  2. Leveraging other CSP integration with Sentinel - Firewall is hosted in other CSP (Google Cloud in our case).
  3. The Syslog Forwarder is hosted in other CSP (Google Cloud in our case).
  4. It leverages Azure Arc as a resource to onboard Non-Azure Machine.
    Link: Connect hybrid machines to Azure using a deployment script - Azure Arc | Microsoft Learn
  5. Uses CEF with AMA with Data Collection Rule to ingest Logs to Microsoft Sentinel.

Link: Data collection rules in Azure Monitor - Azure Monitor | Microsoft Learn

Why we need Azure ARC?

Azure Arc provides a centralized, unified way to: Manage your entire environment together by projecting your existing non-Azure and/or on-premises resources into Azure Resource Manager.

In Our Scenario we need to install Azure Monitoring Agent on the Syslog Forwarder which is a Non-Azure (GCP Compute) hence we need the same.

Once Syslog Forwarder is onboarded then we can Apply the Data Collection rule to it.

 

A Prerequisite for Successful Configuration

 

Technical Resource Required to Spin:

  1. Access to Azure Cloud < https://portal.azure.com/>
    2. Microsoft Sentinel.
    3. Azure Arc.
    4. Access to Google Cloud < https://console.cloud.google.com/> <trial license>
    5. Compute engine in GCP.
    6. Fortinet trial license

Ensure you have an Introductory understanding of the technologies involved:

  1. Fortinet Firewall, CEF syslog format, Time Zone update, Basic Fortinet Navigation,
  2. Google Cloud (GCP Compute, Compute Level Firewall).

Ensure you have a good understanding of the technologies involved:

  1. Azure Arc.
  2. Azure Monitor Agent (AMA).
  3. Microsoft Sentinel.
  4. Common Event Format (CEF) with AMA Data Connector.

 

Abbreviations:


GCP: Google Cloud Platform. AMA: Azure Monitoring Agent. CEF: Common Event Format.

Co-Authors
Version history
Last update:
‎Jan 08 2024 11:11 AM
Updated by:
Labels