Integrating multiple vendor firewalls with Sentinel - What's the best practice?

Brass Contributor


One of my client has 16 firewalls in 2 different regions.

8 in region A.

8 in region B.


Firewall vendors are Fortinet and Palo Alto.

Now, my I have a task to integrate all these firewalls with sentinel. I was wondering what is the best practice in this scenario?

Should I configure only one CEF Collector and collect all the firewalls logs there? or should I use multiple CEF collector? 


Thanks in advance!

2 Replies
This is probably a 'it depends' reply. A count could be the right thing, often the decision will be data volume based. Sometimes 1 FW will send as much traffic as 10 - do you know what they do today?
A. If you have to keep data in Region you may need to collect in multiple workspaces anyway - so need at least two collectors.
B. If you have highly used Firewalls you may need multiple CEF collectors (the AMA supports 5000-8000 EPS). Do you need load balancing or auto scale in that case the collectors could be in Azure ?
In my case, there are 4 internal, 4 external, 4 WAN firewalls and 4 WAF. All these firewalls are in Azure and CEF collector will be in azure too. I am not sure about the data volume but majority of the traffic will be from external and WAN firewalls.