Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiDeceptor 4.3.0 Administration Guide
    4.3.0
    6.0.1
    6.0.0
    5.3.2
    5.3.1
    5.3.0
    5.2.0
    5.1.0
    5.0.0
    4.3.0
    4.2.0
    4.1.1
    4.1.0
    4.0.2
    4.0.1
    4.0.0
    3.3.3
    3.3.2
    3.3.1
    3.3.0
    3.2.2
    3.2.1
    3.2.0
    3.1.1
    3.1.0
    3.0.2
    3.0.1
    3.0.0
    2.1.0
    2.0.0
    1.1.0
    1.0.1

    Integrate FortiDeceptor with FortiGate over Fabric

    Integrate FortiDeceptor with FortiGate over Fabric

    This topic describes how to integrate FortiDeceptor with FortiGate over Fabric in FortiOS versions 7.2.1 and 7.2.0.

    Note

    FortiGate 7.2.1 has a bug which prevents adding and displaying the FortiDeceptor information widgets in the dashboard.
    Integrate FortiDeceptor with FortiGate over Fabric:
    1. Configure the Fabric Connector on FortiGate.
    2. Configure the upstream FortiDeceptor.
    3. Authorize FortiDeceptor on FortiGate.
    4. Configure the automation on FortiGate.
    5. Create a stitch for manual block on FortiGate.
    6. Create a stitch for manual unblock.
    7. Check the quarantine status in FortiDeceptor.
    8. Check quarantine status on FortiGate.

    1. Configure the Fabric Connector on FortiGate

    1.1 Create the administrator profile in FortiGate

    1. In FortiGate, go to System > Admin Profiles.
    2. Select prof_admin or super_admin and click Create New. The New Admin Profile page opens.
    3. Configure the profile Access Permissions. The following are the minimum required permissions.

      Access Control

      Permissions

      Security FabricRead/Write
      FortiViewRead
      User & DeviceRead/Write
      FirewallRead
      Log & ReportRead
      NetworkRead
      SystemRead/Write
      Security ProfileRead
      VPNRead
      WAN Opt & CacheRead
      WiFi & SwitchRead

    4. Click OK.

    1.2 Configure the Fabric Connector using the FortiGate profile

    Enable the Security Fabric. For more information, see Configuring the root FortiGate and downstream FortiGates.

    1. Go to Security Fabric > Fabric Connectors.
    2. Double-click the Security Fabric Setup tile. The Edit Fabric Connector window opens.
    3. Configure the following settings and click OK.

      Security Fabric roleSelect Serve as Fabric Root.
      Allow downstream device REST API access

      Enable.

      Note

      Enabling Allow downstream device REST API access is mandatory.

      Administrator profileSelect the profile you create in Step 1.1 Create the administrator profile in FortiGate.

    2. Configure the upstream FortiDeceptor

    1. In FortiDeceptor, go to Fabric > Quarantine Integration.
    2. Configure the Fabric Upstream settings and click Apply.

      EnabledEnable.
      Upstream IP addressEnter the IP of the upstream FortiGate
      Quarantine Via UpstreamEnable.

    3. Authorize FortiDeceptor on FortiGate

    3.1 Update the device status

    1. Go to System > Fabric Management.
    2. Select the FortiDeceptor with a status of Waiting for authorization and click "Authorize.

    3.2 Add the fabric device widget in FortiGate Dashboard

    1. Go to Dashboard > Status and click Add Widget. The Add Dashboard Widget menu opens.
    2. Under Security Fabric, click Fabric Device.

    3. From the Device dropdown, select the FortiDeceptor.

    4. Configure the other settings and click Add Widget.

    3.3 Monitor the FortiDeceptor widgets on FortiGate

    Use the FortiDeceptor Fabric Device widget to monitor FortiDeceptor System Information and Deception Decoys information.

    4. Configure the automation on FortiGate

    4.1 Create Stitch for automated quarantine on FortiGate side

    1. Go to Security Fabric >Automation.
    2. In the banner click Action.
    3. Click Create New and then click IP Ban. The Create New Automation Action page opens.

    4. Enter a descriptive name Name such as fdc_ban-ip and a Description such as For fabric and click OK.

    4.2. Create a trigger for automated quarantine

    1. In FortiGate go to Fabric > Automation.
    2. In the banner, click Trigger.
    3. Click Create New and then click the Fabric Connector Event tile.
    4. Configure the following settings, and click OK.
      Name Give the connector a descriptive name such as FDC_Insider_Threat.
      DescriptionEnter a description such as FDC mitigation.
      ConnectorSelect the upsream FortiDeceptor device.
      Event nameSelect Insider Threat.

    4.3 Create a stitch for automated quarantine

    1. In FortiGate go to Security Fabric > Automation.
    2. In the banner, click Stitch and then click Create New.
    3. Give the Stitch a descriptive name such as FDC_ban.
    4. Click the Trigger tile and select the trigger you created in Step 4.2. Create Trigger for automated quarantine (FDC_Insider_Threat).
    5. Click the Action tile and select the Action you created (fdc_ban-ip).

    5. Create a stitch for manual block on FortiGate

    5.1 Create an Action for manual block

    1. In FortiGate go to Security Fabric > Automation.
    2. In the banner, click Action.
    3. Click Create New and then click the IP Ban tile.
    4. Give the Action a descriptive Name such as ipban and enter a Description such as block the IP and click OK.

    5.2 Create a trigger for manual block

    1. In FortiGate, go to Security Fabric > Automation.
    2. In the banner, click Trigger;
    3. Click Create New and then click the Fabric Connector Event tile.
    4. Configure the following settings and click OK.
      NameEnter a descriptive name such as manual-ban.
      ConnectorSelect the downstream FortiDeceptor device.
      Event NameSelect Notify Ban.

    5.3 Create a stitch for manual block

    1. Go to Security Fabric > Automation.
    2. In the banner, click Stitch, and then click Create New.
    3. Give the Stitch a descriptive name such as FDC_Manual_Block.
    4. Click the Trigger tile and select the trigger you created in 5.2 Create Trigger for manual block (manual-ban).
    5. Click the Action tile and select the Action you created in Step 5.1 Create Action for manual block (ipban)

    6. Create a stitch for manual unblock

    6.1 Create an Action for manual unblock

    1. In FortiGate go to Security Fabric > Automation.
    2. In the banner, click Action.
    3. Click Create New and then scroll down and click the CLI Script tile.
    4. Give the action an descriptive Name such as unblock.
    5. In the CLI Script > Script field enter the following command and click OK.

      diagnose user banned-ip delete src4 %%log.srcip%%

    6.2 Create a trigger for manual unblock

    1. In FortiGate, go to Security Fabric > Automation.
    2. In the banner, click Trigger
    3. Click Create New, then configure the following settings and click OK.
      Name Give the trigger a descriptive name such as Trigger-unban.
      ConnectorSelect the downstream FortiDeceptor device.
      Event nameSelect Notify Unban.

    6.3 Create a stitch for manual unblock

    1. Go to Security Fabric > Automation.
    2. In the banner, click Stitch, and then click Create New.
    3. Give the Stitch a descriptive name such as FDC_Manual_Unblock.
    4. Click the Trigger tile and select the trigger you created in 6.2 Create Trigger for manual unblock (unblock) .
    5. Click the Action tile and select the Action you created in Step 6.1 Create Action for manual unblock (Trigger-ban).

    7. Check the quarantine status in FortiDeceptor

    1. In FortiDeceptor, go to Fabric > Quarantine Status.
    2. For Type > Auto quarantine, verify the Status is Quarantined.
    3. (Optional) Trigger a manual block.
      1. Select a device with Type > Manual quarantine.
      2. In the toolbar, click Block.

    8. Check quarantine status on FortiGate

    To view the quarantine status with the FortiGate GUI:

    Go to Dashboard > Users & Devices and expand the Quarantine widget.

    To view quarantine status with FortiGate CLI:

    Run the following command:

    diagnose user quarantine list

    To view the debug log for quarantine with the FortiGate CLI:

    Run the following command:

    diagnose debug en

    Previous
    Next

    Integrate FortiDeceptor with FortiGate over Fabric

    Integrate FortiDeceptor with FortiGate over Fabric

    This topic describes how to integrate FortiDeceptor with FortiGate over Fabric in FortiOS versions 7.2.1 and 7.2.0.

    Note

    FortiGate 7.2.1 has a bug which prevents adding and displaying the FortiDeceptor information widgets in the dashboard.
    Integrate FortiDeceptor with FortiGate over Fabric:
    1. Configure the Fabric Connector on FortiGate.
    2. Configure the upstream FortiDeceptor.
    3. Authorize FortiDeceptor on FortiGate.
    4. Configure the automation on FortiGate.
    5. Create a stitch for manual block on FortiGate.
    6. Create a stitch for manual unblock.
    7. Check the quarantine status in FortiDeceptor.
    8. Check quarantine status on FortiGate.

    1. Configure the Fabric Connector on FortiGate

    1.1 Create the administrator profile in FortiGate

    1. In FortiGate, go to System > Admin Profiles.
    2. Select prof_admin or super_admin and click Create New. The New Admin Profile page opens.
    3. Configure the profile Access Permissions. The following are the minimum required permissions.

      Access Control

      Permissions

      Security FabricRead/Write
      FortiViewRead
      User & DeviceRead/Write
      FirewallRead
      Log & ReportRead
      NetworkRead
      SystemRead/Write
      Security ProfileRead
      VPNRead
      WAN Opt & CacheRead
      WiFi & SwitchRead

    4. Click OK.

    1.2 Configure the Fabric Connector using the FortiGate profile

    Enable the Security Fabric. For more information, see Configuring the root FortiGate and downstream FortiGates.

    1. Go to Security Fabric > Fabric Connectors.
    2. Double-click the Security Fabric Setup tile. The Edit Fabric Connector window opens.
    3. Configure the following settings and click OK.

      Security Fabric roleSelect Serve as Fabric Root.
      Allow downstream device REST API access

      Enable.

      Note

      Enabling Allow downstream device REST API access is mandatory.

      Administrator profileSelect the profile you create in Step 1.1 Create the administrator profile in FortiGate.

    2. Configure the upstream FortiDeceptor

    1. In FortiDeceptor, go to Fabric > Quarantine Integration.
    2. Configure the Fabric Upstream settings and click Apply.

      EnabledEnable.
      Upstream IP addressEnter the IP of the upstream FortiGate
      Quarantine Via UpstreamEnable.

    3. Authorize FortiDeceptor on FortiGate

    3.1 Update the device status

    1. Go to System > Fabric Management.
    2. Select the FortiDeceptor with a status of Waiting for authorization and click "Authorize.

    3.2 Add the fabric device widget in FortiGate Dashboard

    1. Go to Dashboard > Status and click Add Widget. The Add Dashboard Widget menu opens.
    2. Under Security Fabric, click Fabric Device.

    3. From the Device dropdown, select the FortiDeceptor.

    4. Configure the other settings and click Add Widget.

    3.3 Monitor the FortiDeceptor widgets on FortiGate

    Use the FortiDeceptor Fabric Device widget to monitor FortiDeceptor System Information and Deception Decoys information.

    4. Configure the automation on FortiGate

    4.1 Create Stitch for automated quarantine on FortiGate side

    1. Go to Security Fabric >Automation.
    2. In the banner click Action.
    3. Click Create New and then click IP Ban. The Create New Automation Action page opens.

    4. Enter a descriptive name Name such as fdc_ban-ip and a Description such as For fabric and click OK.

    4.2. Create a trigger for automated quarantine

    1. In FortiGate go to Fabric > Automation.
    2. In the banner, click Trigger.
    3. Click Create New and then click the Fabric Connector Event tile.
    4. Configure the following settings, and click OK.
      Name Give the connector a descriptive name such as FDC_Insider_Threat.
      DescriptionEnter a description such as FDC mitigation.
      ConnectorSelect the upsream FortiDeceptor device.
      Event nameSelect Insider Threat.

    4.3 Create a stitch for automated quarantine

    1. In FortiGate go to Security Fabric > Automation.
    2. In the banner, click Stitch and then click Create New.
    3. Give the Stitch a descriptive name such as FDC_ban.
    4. Click the Trigger tile and select the trigger you created in Step 4.2. Create Trigger for automated quarantine (FDC_Insider_Threat).
    5. Click the Action tile and select the Action you created (fdc_ban-ip).

    5. Create a stitch for manual block on FortiGate

    5.1 Create an Action for manual block

    1. In FortiGate go to Security Fabric > Automation.
    2. In the banner, click Action.
    3. Click Create New and then click the IP Ban tile.
    4. Give the Action a descriptive Name such as ipban and enter a Description such as block the IP and click OK.

    5.2 Create a trigger for manual block

    1. In FortiGate, go to Security Fabric > Automation.
    2. In the banner, click Trigger;
    3. Click Create New and then click the Fabric Connector Event tile.
    4. Configure the following settings and click OK.
      NameEnter a descriptive name such as manual-ban.
      ConnectorSelect the downstream FortiDeceptor device.
      Event NameSelect Notify Ban.

    5.3 Create a stitch for manual block

    1. Go to Security Fabric > Automation.
    2. In the banner, click Stitch, and then click Create New.
    3. Give the Stitch a descriptive name such as FDC_Manual_Block.
    4. Click the Trigger tile and select the trigger you created in 5.2 Create Trigger for manual block (manual-ban).
    5. Click the Action tile and select the Action you created in Step 5.1 Create Action for manual block (ipban)

    6. Create a stitch for manual unblock

    6.1 Create an Action for manual unblock

    1. In FortiGate go to Security Fabric > Automation.
    2. In the banner, click Action.
    3. Click Create New and then scroll down and click the CLI Script tile.
    4. Give the action an descriptive Name such as unblock.
    5. In the CLI Script > Script field enter the following command and click OK.

      diagnose user banned-ip delete src4 %%log.srcip%%

    6.2 Create a trigger for manual unblock

    1. In FortiGate, go to Security Fabric > Automation.
    2. In the banner, click Trigger
    3. Click Create New, then configure the following settings and click OK.
      Name Give the trigger a descriptive name such as Trigger-unban.
      ConnectorSelect the downstream FortiDeceptor device.
      Event nameSelect Notify Unban.

    6.3 Create a stitch for manual unblock

    1. Go to Security Fabric > Automation.
    2. In the banner, click Stitch, and then click Create New.
    3. Give the Stitch a descriptive name such as FDC_Manual_Unblock.
    4. Click the Trigger tile and select the trigger you created in 6.2 Create Trigger for manual unblock (unblock) .
    5. Click the Action tile and select the Action you created in Step 6.1 Create Action for manual unblock (Trigger-ban).

    7. Check the quarantine status in FortiDeceptor

    1. In FortiDeceptor, go to Fabric > Quarantine Status.
    2. For Type > Auto quarantine, verify the Status is Quarantined.
    3. (Optional) Trigger a manual block.
      1. Select a device with Type > Manual quarantine.
      2. In the toolbar, click Block.

    8. Check quarantine status on FortiGate

    To view the quarantine status with the FortiGate GUI:

    Go to Dashboard > Users & Devices and expand the Quarantine widget.

    To view quarantine status with FortiGate CLI:

    Run the following command:

    diagnose user quarantine list

    To view the debug log for quarantine with the FortiGate CLI:

    Run the following command:

    diagnose debug en

    Previous
    Next