FortiGate and Splunk Logs Drive Network Copilot Troubleshooting Correlation
The vendor guide details a Network Copilot (NCP) deployment that ingests FortiGate metrics, events, logs, and traces via MELT into Splunk, then uses an intelligent agent to correlate telemetry and answer natural-language troubleshooting questions for NetOps and security teams.
Research Overview
The paper frames the problem as manual correlation across heterogeneous network and security systems, even when observability tooling such as Splunk is already in place. It describes NCP as an AI operational assistant that connects those silos by interpreting operator questions and linking related telemetry.
The implementation described uses a FortiGate device in an operational setup with live traffic. The guide focuses on real data handling, including both live and historical analysis, to support troubleshooting workflows.
Key Findings
The document states that NCP reduces complexity and aims to lower mean-time-to-resolution (MTTR) for L1 and L2 teams. It also describes outputs as explainable and context-aware answers delivered in natural language rather than static dashboard views.
It further characterizes NCP as agentic, including the ability to parse configurations and logs across multiple device and log sources and to perform root-cause analysis. The paper presents correlation across firewall telemetry and other operational data as the central mechanism.
Technical Breakdown
The reference architecture exports FortiGate telemetry to Splunk for centralized indexing, after which NCP correlates live and historical telemetry. The guide describes the agent querying Splunk in real time to provide answers with contextual details tied to the queried events.
In addition to Splunk indexing, the guide says the platform can store telemetry in its internal database for historical analysis. It also describes cross-domain correlation covering firewall, network, system, and application log contexts.
Operational Impact
The operational flow in the paper is based on traffic entering FortiGate, FortiGate enforcing security policies and access controls, and generating traffic, authentication, threat, system, and configuration logs. Those logs are exported to Splunk, ingested by NCP, and then used to answer operator questions.
The guide includes multiple troubleshooting use cases that tie operator questions to expected outcomes, including identifying configuration changes in the prior 24 hours, explaining authentication failures for FortiGate access attempts, and diagnosing user inability to access the internet by identifying blocked traffic and missing or misconfigured firewall policy conditions.
Overall, the guide presents Network Copilot (NCP) as an agentic assistant that correlates FortiGate telemetry with Splunk-sourced logs to provide explainable, context-aware natural-language responses for troubleshooting workflows. This “Blog Signals brief” is a fact-based summary of the vendor blog.