Suricata Network ids capture for Fortinet logs


I have Fortinet firewall which needs to be monitored from Suritcata IDS for suspicious events. Please advise does the suricata IDS and fortinet should be in the same IP subnet in order to configure the Home and External net.


I’m not sure I understand the question correctly, but let me clarify that Suricata is not a tool to inspect firewall logs. Suricata inspects network packets.

How do you plan to send traffic from the firewall to Suricata?

Hi Victor,
Thanks for the response. Let me tell you the requirement.

We have Fortigate firewalls running the environment with IPS feature and this is managed by Infra team. Me from Security team want to receive the mirror of network traffic to Suricata so that it can inspect for malicious packets. Is there any way to keep suricata running on Linux/Windows server as inline to the firewall to inspect the network traffic ?.

Let me know if more information is required.


Suricata can run in “inline” (IPS) mode but you also said “mirror” which means you might want IDS mode. Suricata supports both modes so it’s just a matter of how you want things setup.

  1. Network -> Suricata (IPS) -> Firewall
  2. Network -> Firewall
    -> (mirror) Suricata


I want the second mode, can you send me configuration for this.?


The default configuration is tailored for IDS mode.

We have a quick start guide that will be helpful:

You’ll need to configure the packet capture mode which will depend on the details of the system on which it’s deployed.

Sure. Thank you. I will try these settings and update you.


Hello Jeff,
I’m running into the same situation and I need to configure suricata for the 1st mode.
Can you send me steps to follow to achieve this.

Best Regards.

Hi, see our documenation for IPS mode 13. Setting up IPS/inline for Linux — Suricata 6.0.10 documentation

Thank you Andreas,
Well if you allow me, let me explain the situation.
I want to run suricata on inline mode and in my network I have a fortinet firewall facing the internet and then a L3 switch and after that switch, I want to deploy Suricata.
So, does we need iptables in this case and do what other configurations are needed to achieve this .

Thanks in advance

If you just want to pass the traffic from one interface to another interface on the machine where you run Suricata, AF_PACKET IPS mode should be good.