How do I collect from Fortigate FortiOS ?

[Available since Nanitor 1.6.2 - ca. July 2018].

Nanitor supports benchmarking of Fortigate FortiOS devices through the Nanitor Collector.

Prerequisites

  1. You need to have a Nanitor Collector up and running. A single collector can collect from multiple network devices, servers and databases.
  2. You need to have the IP address of the Fortigate device and the collector needs to have network access to connect to the device via SSH.
  3. You need to have a user with sufficient privileges

Example of creating a user account for collecting required data (with minimum privileges):

Here is an example how to create a "prof_nanitor" account profile with read-only access and a new audit account "nanitor" on the Fortigate device:

config system accprofile
   edit "prof_nanitor"
       set mntgrp read
       set admingrp read
       set updategrp read
       set authgrp read
       set sysgrp read
       set netgrp read
       set loggrp read
       set routegrp read
       set fwgrp read
       set vpngrp read
       set utmgrp read
       set wanoptgrp read
       set endpoint-control-grp read
       set wifi read
   next
end
config system admin
   edit "nanitor"
       set accprofile "prof_nanitor"
       set vdom "root"
       set password mypass
   next
end<br>

This gives the required permissions to the nanitor user.

Adding the device to Nanitor

Run this command to avoid putting the passwords in .bash_history:

unset HISTFILE

Now we add the credentials (the passwords are stored locally in an encrypted format).

The credentials are created as follows

$ sudo /usr/lib/nanitor-collector/bin/nanitor-collector-ctl credential_add --title fortigate-nanitor --access_method ssh --username nanitor --password mypass

Now we add the device and start collection from the Fortigate device (here with IP address 172.9.3.5):

$ sudo /usr/lib/nanitor-collector/bin/nanitor-collector-ctl device_add --title fortigate1 --device_type fortigate --address 172.9.3.5 --credential_title fortigate-nanitor

This can take a few seconds as it will complete authenticating and fully collecting the first results.  Once completed, the results will be immediately available in the Nanitor UI.  The collector will continue collecting results once every 24 hours.

If the results do not appear in the Nanitor UI, ensure that the benchmarks are selected (Fortigate) and in scope for the organization (Administration - Organization Management - Settings - Benchmarks tab). 

Still need help? Contact Us Contact Us