Configuring IPS with FortiAuthenticator

The IPS configuration requires defining the FortiAuthenticator as the syslog server on IPS. The Syslog sever uses the filter created in the User Access Log Filters for receiving and parsing the logs.

Creating Custom Filter for User Access Logs

To create a custom filter in IPS:

1. Select System > Log/Monitoring > User Access > Filters.
2. Click New Filter.
3. Enter the filter name.
4. Under Export Format, select WELF.
5. Click Save to save the filter.

Editing the Custom Filter

To edit the custom created filter:

1. From the Log Filters screen, click the filter name and edit the filter.
2. Under Export Format, select Custom format.
3. Edit the ID with the filter name. For example, id=FSSO.
4. Click Save.

Configuring Syslog Server

You can configure IPS to send logs to FortiAuthenticator syslog server.

To configure the syslog server:

1. Select System > Log/Monitoring > User Access > Settings Policy and click New Policy.
2. Under Select Events to Log, retain the default settings.
3. Under Syslog Servers, create a new Syslog server with the following details:
   • Server name/IP- Enter the fully qualified domain name or the IP address for the syslog server (FortiAutheticator).
   • Facility- Select LOCAL0 as the facility level.
   • Type- Select UDP as the connection type.
   • Filter- Select the custom created filter format.
4. Click Add and then click Save Changes.

You must add FortiAuthenticator as a syslog server in all the nodes in a clustering environment.