Leveraging CEF with Azure Monitor Agent (AMA) for GCP-Hosted Fortinet Firewall and Syslog Forwarder,


Understand What purpose this Blog Serves:

Let's break down the blog title to understand its purpose:

Leveraging CEF with Agent (AMA) for GCP-Hosted Fortinet and Syslog Forwarder:

This part emphasizes using Common Event Format (CEF) with Agent (AMA) for monitoring and analysing logs from Fortinet and Syslog Forwarder hosted in Google Cloud Platform (GCP).

Connecting via Azure Arc:

Azure Arc is introduced to onboard non-Azure machines. This step ensures that even resources outside of Azure can be integrated into Azure's monitoring and security infrastructure.

Streaming Fortinet Logs to Microsoft Sentinel with Data Collection Rules:

The final objective is to establish a streamlined process for sending Fortinet logs to Microsoft Sentinel. Data Collection Rules are employed to manage and format the logs effectively.

The blog serves to guide readers on set up an efficient and integrated security and monitoring system that spans across different cloud platforms (Google Cloud in this case), leveraging Azure tools like Azure Monitor Agent, Azure Arc, and Microsoft Sentinel to enhance security and visibility by using CEF and Data Collection Rules for managing Fortinet logs.

Understanding Some Why's:

Why this Blog?

  1. The AMA agent is New, old agent MMA, , etc. will deprecate in 2024.
    Link: Migrate from legacy agents to Azure Monitor Agent – Azure Monitor | Microsoft Learn
  2. Leveraging other CSP integration with Sentinel – is hosted in other CSP (Google Cloud in our case).
  3. The Syslog Forwarder is hosted in other CSP (Google Cloud in our case).
  4. It leverages Azure Arc as a resource to onboard Non-Azure Machine.
    Link: Connect hybrid machines to Azure using a deployment script – Azure Arc | Microsoft Learn
  5. Uses CEF with AMA with Data Collection Rule to ingest Logs to Microsoft Sentinel.

Link: Data collection rules in Azure Monitor – Azure Monitor | Microsoft Learn

Why we need Azure ARC?

Azure Arc provides a centralized, unified way to: Manage your entire environment together by projecting your existing non-Azure and/or on-premises resources into Azure .

In Our Scenario we need to install Azure Monitoring Agent on the Syslog Forwarder which is a Non-Azure (GCP Compute) hence we need the same.

Once Syslog Forwarder is onboarded then we can Apply the Data Collection rule to it.

A Prerequisite for Successful Configuration


Technical Resource Required to Spin:

  1. https://portal.azure.com/>
    2. Microsoft Sentinel.
    3. Azure Arc.
    https://console.cloud.google.com/> license>
    5. Compute engine in GCP.
    6. Fortinet trial license

Ensure you have an Introductory understanding of the technologies involved:

  1. Fortinet Firewall, CEF syslog format, Time Zone update, Basic Fortinet Navigation,
  2. Google Cloud (GCP Compute, Compute Level Firewall).

Ensure you have a good understanding of the technologies involved:

  1. Azure Arc.
  2. Azure Monitor Agent (AMA).
  3. Microsoft Sentinel.
  4. Common Event Format (CEF) with AMA Data Connector.


: Google Cloud Platform. AMA: Azure Monitoring Agent. CEF: Common Event Format.


This article was originally published by Microsoft's Sentinel Blog. You can find the original article here.