Suricata Network ids capture for Fortinet logs

Hi,

I have Fortinet firewall which needs to be monitored from Suritcata IDS for suspicious events. Please advise does the suricata IDS and fortinet should be in the same IP subnet in order to configure the Home and External net.

Rgds,
Maya

I’m not sure I understand the question correctly, but let me clarify that Suricata is not a tool to inspect firewall logs. Suricata inspects network packets.

How do you plan to send traffic from the firewall to Suricata?

Hi Victor,
Thanks for the response. Let me tell you the requirement.

We have Fortigate firewalls running the environment with IPS feature and this is managed by Infra team. Me from Security team want to receive the mirror of network traffic to Suricata so that it can inspect for malicious packets. Is there any way to keep suricata running on Linux/Windows server as inline to the firewall to inspect the network traffic ?.

Let me know if more information is required.

Rgds,
Maya

Suricata can run in “inline” (IPS) mode but you also said “mirror” which means you might want IDS mode. Suricata supports both modes so it’s just a matter of how you want things setup.

  1. Network -> Suricata (IPS) -> Firewall
  2. Network -> Firewall
    -> (mirror) Suricata

Hi,

I want the second mode, can you send me configuration for this.?

Rgds,
Maya

The default configuration is tailored for IDS mode.

We have a quick start guide that will be helpful: https://suricata.readthedocs.io/en/suricata-5.0.3/quickstart.html

You’ll need to configure the packet capture mode which will depend on the details of the system on which it’s deployed.

Sure. Thank you. I will try these settings and update you.

Rgds,
Maya