Skip to main content

FortiGate and Splunk correlation via Network Copilot

Network Copilot is presented as an agentic AI assistant that queries Splunk in real time while adding FortiGate context, aiming to answer operational questions for NetOps and SecOps teams. The update matters because teams currently spend time correlating distributed firewall and SIEM data during troubleshooting.

Research Overview

The blog frames the problem as fragmented telemetry, where FortiGate produces firewall, policy, authentication, and threat-related logs and Splunk stores logs from firewalls and other network components. It says manual correlation across these systems requires continuous effort from operators during incidents and day-to-day operations.

Network Copilot (NCP) is described as an operational AI agent that performs intelligent correlation by combining FortiGate telemetry with information available in Splunk. The approach is positioned as a way to reduce the need for repeated dashboard navigation, log analysis, and escalation work by L1 and L2 personnel.

Key Findings

The blog says FortiGate and Splunk each cover their intended functions, but operations teams still face time pressure and data volume when they must connect events across platforms. It attributes the persistent manual workload to scattered information, differing data formats and contexts, and the need to process large volumes quickly.

NCP is described as providing natural-language responses that support faster troubleshooting by identifying root causes and explaining contributing factors. The blog lists outcomes such as configuration changes, authentication failures, blocked communications, and policy-related problems.

Technical Breakdown

The blog describes Network Copilot as acting like an expert network and security engineer that reviews logs, configurations, and events. It says the assistant enables teams to ask questions such as why a user is blocked or what configuration changes occurred over a defined period.

For configuration change scenarios, NCP is described as able to identify what was modified, the type of change, who made it, which firewall policy was affected, and whether traffic behavior changed. For access problems, it is described as checking whether the issue is an authentication failure, identifying the user and source IP, and determining whether the cause is configuration or a security policy.

Operational Impact

The blog says the assistant helps L1 and L2 teams by turning distributed data and tacit knowledge into understandable answers. It describes junior operators as often relying on senior engineers for tasks such as analyzing firewalls and searching SIEM data, with NCP designed to reduce that time spent on investigation and cross-referencing.

It also states that Network Copilot does not replace engineers and that knowledge and reasoning come from the system while the engineer remains in control of decisions. The blog describes agentic AI as enabling troubleshooting by reasoning across FortiGate telemetry and Splunk logs rather than only reporting what already occurred.

Blog Signals brief is a fact-based summary of this vendor blog post about Network Copilot’s role in querying Splunk in real time with FortiGate context to correlate events, identify configuration and access issues, and provide explanations for L1/L2 NetOps and SecOps troubleshooting.