Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 8.0.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiAnalyzer 8.0.0 Administration Guide
    8.0.0
    8.0.0
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.9
    5.2.7
    5.2.6
    5.2.5
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.13
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.0
    4.2.0
    4.1.0
    4.0.0

    Blocking indicators

    Blocking indicators

    You can block suspicious indicators directly from FortiAnalyzer. This can help you to reduce potential risks and quickly respond to known threats by blocking suspicious IPs, URLs, domains, or MAC addresses.

    FortiAnalyzer can use the following connectors to block indicators:

    When both FortiManager and FortiMQ connectors are active, priority is given to the FortiMQ connector. Blocking via FortiManager remains supported; however, indicators are sent via FortiManager only if the FortiMQ connector is disabled.

    Unlike FortiManager, which operates at a global level, the FortiMQ connector is ADOM-specific. Blocked indicators through FortiMQ are applied only to FortiGate devices within the same Fabric or FortiGate ADOM in FortiAnalyzer.

    If both connectors are not setup or active, the Block option will be grayed out in the Incidents and Indicators panes.

    When the FortiMQ connector is setup and active, a tooltip displays when mousing over the Block option: “Block/Unblock will be carried out by FortiMQ connector.”

    The Block indicator option is available in:

    • Incidents & Alerts > Indicators

    • Incidents & Alerts > Incidents > Incidents

    • Incidents & Alerts > Incidents > Incidents > Incident Analysis

    You can also block indicators from Log View by right-clicking the ip, url, domain, or mac-address in the table view or detailed view and selecting Create indicator and block from the shortcut menu. This action adds a new indicator and blocks it automatically.

    Indicators can also be unblocked from the FortiAnalyzer GUI as well. When a blocked indicator is selected in Incidents & Alerts > Indicators, the Unblock action becomes available in the toolbar and shortcut menu.

    In Incidents & Alerts > Indicators, there is a pie chart and column to display the Block Status of the indicators: TBD, Blocked, and Unblocked.

    Blocking indicators with the FortiMQ connector

    After blocking or unblocking indicators using the FortiMQ connector, the block_indicator playbook runs in the background and sends the indicators to FortiMQ.

    FortiGate retrieves these indicators from FortiMQ and updates them in the external feeds. These feeds can then be used in policies or profiles to deny access. External feeds are updated on FortiGate with the indicators sent from FortiAnalyzer. For example, see below:

    To setup the FortiMQ connector on FortiAnalyzer:

    1. Go to Incidents & Alerts > Automation > Active Connectors, and enable the FortiMQ Connector.

      The FortiMQ connector is available and disabled by default in all Fabric and FortiGate-type ADOMs.

      When enabled, this connector automatically establishes a connection to the FortiMQ cloud service; no additional configuration is required. The connector status reflects its health, indicating whether the API connection is successful.

    To use the FortiMQ Connector to block indicators, you must also complete the following in addition to enabling the connector:

    After blocking indicators using the FortiMQ connector, the block_indicator playbook runs in the background and sends the indicators to FortiMQ.

    FortiGate retrieves these indicators from FortiMQ and updates them in the external feeds. These feeds can then be used in policies or profiles to deny access. External feeds are updated on FortiGate with the indicators sent from FortiAnalyzer. For example, see below:

    Blocking indicators with the FortiManager connector

    When an indicator is blocked using the FortiManager connector, the Block Status column in Indicators will initially display Blocked (Pending). In the backend, the block_indicator playbook runs every five minutes to send the information to FortiManager. After the playbook is run, the status for the indicator will change to Blocked. In this case, the Blocked status on FortiAnalyzer confirms that the list is updated on FortiManager, but it is not synced to the FortiGate.

    When the block_indicator playbook is successfully run, the blocked indicator will be pushed to FortiManager's External Resource list. This list will be used to create threat feeds, security profiles, and policy blocks on FortiManager to push the policies to the identified FortiGate. It can also be used to update all FortiGates to block the suspicious indicators.

    The External Resource is saved in FortiManager as "<FortiAnalyzer ADOM name>-BLK<indicator-type>". For example the root ADOM's blocked IPs will be named root-BLKIP. For example, see below.

    The FortiManager firmware version must be the same as FortiAnalyzer for the block list to be pushed to FortiGates.

    Unblocking the indicator updates the External Resource on FortiManager by removing the unblocked indicator information. Once complete, the status of the indicator changes to Unblocked.

    To setup the FortiManager connector on FortiAnalyzer:

    The following configuration is required in the FortiManager CLI before adding a FortiAnalyzer using a fabric connection:

    config system csf

    set status enable

    set accept-auth-by-cert enable

    end

    In both the FortiAnalyzer and FortiManager CLI, under config system interface, the port's allowaccess setting must include fabric.

    For more information, see the FortiManager Administration Guide.

    1. In the FortiAnalyzer, go to Incidents & Alerts > Automation > Active Connectors.

    2. Double-click the FMG Connector.

      The Edit FortiManager Connector pane displays.

    3. In the FortiManager IP/FQDN field, enter the IP of the FortiManager.

    4. Toggle the Status to Enabled.

    5. Click OK and wait for the connection.

    6. Once the connection status is Pending Authorization, click Authorize.

    7. In the authorization page, select the ADOM to add the FortiAnalyzer to and click Next.

    8. After authorizing, the FortiAnalyzer is added to FortiManager under Device Manager > Device & Groups > Managed FortiAnalyzer.

      Alternatively, you can authorize the FortiAnalyzer from the FortiManager GUI.

    Previous
    Next

    Related Videos

    sidebar video

    FortiAnalyzer 7.6: Detect, Enrich and Respond

    • 1,890 views
    • 1 years ago

    Blocking indicators

    Blocking indicators

    You can block suspicious indicators directly from FortiAnalyzer. This can help you to reduce potential risks and quickly respond to known threats by blocking suspicious IPs, URLs, domains, or MAC addresses.

    FortiAnalyzer can use the following connectors to block indicators:

    When both FortiManager and FortiMQ connectors are active, priority is given to the FortiMQ connector. Blocking via FortiManager remains supported; however, indicators are sent via FortiManager only if the FortiMQ connector is disabled.

    Unlike FortiManager, which operates at a global level, the FortiMQ connector is ADOM-specific. Blocked indicators through FortiMQ are applied only to FortiGate devices within the same Fabric or FortiGate ADOM in FortiAnalyzer.

    If both connectors are not setup or active, the Block option will be grayed out in the Incidents and Indicators panes.

    When the FortiMQ connector is setup and active, a tooltip displays when mousing over the Block option: “Block/Unblock will be carried out by FortiMQ connector.”

    The Block indicator option is available in:

    • Incidents & Alerts > Indicators

    • Incidents & Alerts > Incidents > Incidents

    • Incidents & Alerts > Incidents > Incidents > Incident Analysis

    You can also block indicators from Log View by right-clicking the ip, url, domain, or mac-address in the table view or detailed view and selecting Create indicator and block from the shortcut menu. This action adds a new indicator and blocks it automatically.

    Indicators can also be unblocked from the FortiAnalyzer GUI as well. When a blocked indicator is selected in Incidents & Alerts > Indicators, the Unblock action becomes available in the toolbar and shortcut menu.

    In Incidents & Alerts > Indicators, there is a pie chart and column to display the Block Status of the indicators: TBD, Blocked, and Unblocked.

    Blocking indicators with the FortiMQ connector

    After blocking or unblocking indicators using the FortiMQ connector, the block_indicator playbook runs in the background and sends the indicators to FortiMQ.

    FortiGate retrieves these indicators from FortiMQ and updates them in the external feeds. These feeds can then be used in policies or profiles to deny access. External feeds are updated on FortiGate with the indicators sent from FortiAnalyzer. For example, see below:

    To setup the FortiMQ connector on FortiAnalyzer:

    1. Go to Incidents & Alerts > Automation > Active Connectors, and enable the FortiMQ Connector.

      The FortiMQ connector is available and disabled by default in all Fabric and FortiGate-type ADOMs.

      When enabled, this connector automatically establishes a connection to the FortiMQ cloud service; no additional configuration is required. The connector status reflects its health, indicating whether the API connection is successful.

    To use the FortiMQ Connector to block indicators, you must also complete the following in addition to enabling the connector:

    After blocking indicators using the FortiMQ connector, the block_indicator playbook runs in the background and sends the indicators to FortiMQ.

    FortiGate retrieves these indicators from FortiMQ and updates them in the external feeds. These feeds can then be used in policies or profiles to deny access. External feeds are updated on FortiGate with the indicators sent from FortiAnalyzer. For example, see below:

    Blocking indicators with the FortiManager connector

    When an indicator is blocked using the FortiManager connector, the Block Status column in Indicators will initially display Blocked (Pending). In the backend, the block_indicator playbook runs every five minutes to send the information to FortiManager. After the playbook is run, the status for the indicator will change to Blocked. In this case, the Blocked status on FortiAnalyzer confirms that the list is updated on FortiManager, but it is not synced to the FortiGate.

    When the block_indicator playbook is successfully run, the blocked indicator will be pushed to FortiManager's External Resource list. This list will be used to create threat feeds, security profiles, and policy blocks on FortiManager to push the policies to the identified FortiGate. It can also be used to update all FortiGates to block the suspicious indicators.

    The External Resource is saved in FortiManager as "<FortiAnalyzer ADOM name>-BLK<indicator-type>". For example the root ADOM's blocked IPs will be named root-BLKIP. For example, see below.

    The FortiManager firmware version must be the same as FortiAnalyzer for the block list to be pushed to FortiGates.

    Unblocking the indicator updates the External Resource on FortiManager by removing the unblocked indicator information. Once complete, the status of the indicator changes to Unblocked.

    To setup the FortiManager connector on FortiAnalyzer:

    The following configuration is required in the FortiManager CLI before adding a FortiAnalyzer using a fabric connection:

    config system csf

    set status enable

    set accept-auth-by-cert enable

    end

    In both the FortiAnalyzer and FortiManager CLI, under config system interface, the port's allowaccess setting must include fabric.

    For more information, see the FortiManager Administration Guide.

    1. In the FortiAnalyzer, go to Incidents & Alerts > Automation > Active Connectors.

    2. Double-click the FMG Connector.

      The Edit FortiManager Connector pane displays.

    3. In the FortiManager IP/FQDN field, enter the IP of the FortiManager.

    4. Toggle the Status to Enabled.

    5. Click OK and wait for the connection.

    6. Once the connection status is Pending Authorization, click Authorize.

    7. In the authorization page, select the ADOM to add the FortiAnalyzer to and click Next.

    8. After authorizing, the FortiAnalyzer is added to FortiManager under Device Manager > Device & Groups > Managed FortiAnalyzer.

      Alternatively, you can authorize the FortiAnalyzer from the FortiManager GUI.

    Previous
    Next