A FortiGate firewall analyzer that reads FortiOS directly.
SAMURAI is a self-hosted FortiGate firewall analyzer that reads Fortinet FortiOS over its REST API: security policies, NAT (VIPs and IP pools), address and service objects, routes, and VPN tunnels. Because it works from configuration rather than logs, you see the live policy and every change to it — attributed to the admin — in the same dashboard as your Palo Alto and Cisco estate.
Updated June 2026
What it reads from FortiGate
Security policies
FortiGate firewall policies read over the FortiOS REST API, searchable by source/destination zone, address, service, and action, with server-side filtering.
NAT, VIPs & IP pools
Source and destination NAT, virtual IPs, and IP pools resolved to the real addresses and ports they map to — not raw object names.
Objects, resolved
Address and service objects and groups expanded recursively at sync time, so a policy reads "tcp/443", not a group you have to open.
Routes & VPN
FortiGate routing table, IPsec tunnels, and SSL-VPN visibility in the same view as the policies that govern the traffic.
Change tracking with attribution
Every FortiOS configuration change detected from real device state, diffed, and time-windowed to the administrator who made it — no reliance on log retention.
Multi-vendor context
FortiGate sits beside Palo Alto, Cisco FMC/FTD, routers, switches, ACI, ISE, and vCenter: nine device types, one searchable dashboard.
How it compares to FortiGate log analyzers
Tools marketed as a "Fortinet firewall log analyzer" parse FortiGate traffic and event logs. SAMURAI reads FortiOS configuration state instead — the policies, objects, and routes themselves, plus every change to them.
Data source
SAMURAI
FortiOS configuration read over the REST API
FortiGate log analyzers
FortiGate traffic and event logs
Question answered
SAMURAI
What is the policy, and who changed what, when?
FortiGate log analyzers
What traffic was allowed or blocked?
Scope
SAMURAI
FortiGate plus Palo Alto, Cisco, routers, switches, ACI, ISE, vCenter
FortiGate log analyzers
Usually FortiGate logs only
Deployment
SAMURAI
Single self-hosted Docker container, air-gap friendly
FortiGate log analyzers
FortiAnalyzer appliance or log pipeline
For traffic-log analytics on FortiGate, a log analyzer (or FortiAnalyzer) is the right fit. For multi-vendor policy visibility, object resolution, and change attribution across FortiGate and everything around it, that is what SAMURAI is built for.
Frequently asked questions
How does SAMURAI connect to FortiGate?
Over the FortiOS REST API with an API token (with a username/password fallback). It reads policies, NAT, address and service objects, routes, and VPN configuration — read-only.
Does it resolve FortiGate address and service objects?
Yes. Objects and groups are expanded recursively at sync time, so a policy shows the real addresses and "tcp/443"-style services instead of object names you have to chase.
Is this a Fortinet firewall log analyzer?
No — SAMURAI analyzes FortiOS configuration state, not logs. For traffic-log analytics, FortiAnalyzer or a log tool is the right choice; SAMURAI focuses on the policy and its changes.
Can I see FortiGate alongside Palo Alto and Cisco?
Yes — that is the point. FortiGate, Palo Alto (PAN-OS), and Cisco FMC/FTD policies share one search and one change timeline, next to the routers, switches, and fabrics around them.
Can I try it on FortiGate for free?
Yes. A free test license ships with the SAMURAI Docker image on Docker Hub, no email required, so you can point it at your own FortiGate before talking to anyone.
What does deploying it take?
A single docker run on a VM that can reach your FortiGate management interface. A typical deployment is serving data in about five minutes.