Fortinet white logo
Fortinet white logo

Administration Guide

Integrate Method settings

Integrate Method settings

A/D Connector Isolation

Hostname

IP address or Hostname of the Active Directory (AD) server.

Port

Port number used for connecting to the AD server.

Username

Valid AD service account with a minimum of account operators access.

Password

Password for your AD user.

Base DN

The base, or node from where the search should start.

All connector operations are carried out using the Base DN as a root to the AD organization tree. You can restrict the AD lookup by providing appropriate filters in this parameter.

Some examples are as follows:

DC=fdc,DC=com

OU=workstation,DC=fdc,DC=com

OU=Finance,OU=workstation,DC=fdc,DC=com

Bind DN

The fully distinguished name, which is used to bind to the AD server.

Use TLS

Specifies whether SSL and TLS. SSL is used by default.

Limit

The number of quarantine attackers per 24 hours.

Aruba ClearPass

Server URL

The Aruba ClearPass URL or IP address.

Client ID

Client ID of the Aruba ClearPass application which is used to access Aruba ClearPass.

Auth Type

Select Username/Password or Client Secret.

Username

If the Auth Type is Username/Password, enter the Aruba ClearPass username.

Password

If the Auth Type is Username/Password, enter the Aruba ClearPass password.

Client Secret

If the Auth Type is Client Secret, enter the Aruba ClearPass client secret.

Verify SSL

Enable to verify Secure Sockets Layer.

Expiry

Default blocking time in seconds. Default is 3600 seconds

AWS Keys

AWS Region

AWS region to access the AWS CloudTrail.

AWS Access Key ID

ID of the AWS Access Key to access AWS services.

AWS Secret Access Key

Key of the AWS Secret Access to access AWS services.

Verify SSL

Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True.

Azure Keys

Client ID

Also called Application ID;Unique ID of the Microsoft Entra application.

Client Secret

Client Secret of the Microsoft Entra application that is used to create an authentication token required to access the API.

Tenant ID

Tenant ID provided for your Microsoft Entra.

Verify SSL

Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True.

CheckPoint-FW-Isolation

Compatible CheckPoint version: R81 build392 or later

IP/URL

IP address or URL of the integrated device.

Port

Port number of the integrated device API service. Default is 443.

IP Block Policy(Network Group Name)

Enter the Network Group Name.

Username

Username of the integrated device.

Password

Password of the integrated device.

Verify SSL

Enable to verify Secure Sockets Layer.

Install Policy After Publish Enable to install the policy after it is published.
Cisco-ISE

Compatible Cisco ISE version: 2.7 or later.

Server URL/IP

The Cisco server URL and IP address.

Port

Port number of the integrated device API service. Default is 9060.

Username

Username of the integrated device.

Password

Password of the integrated device.

Verify SSL

Enable to verify SSL.

Expiry

Default blocking time in seconds. Default is 3600 seconds.

CrowdStrike-Isolation
Server URL

CrowdStrike server URL.

Client ID

Client ID of the Crowdstrike application which is used to access CrowdStrike isolation service.

Client Secret

Secret string of the Crowdstrike application which is used to access CrowdStrike isolation service.

Verify SSL

Enable to verify SSL.

Expiry

Default blocking time in seconds. Default is 3600 seconds.

FGT-REST-API

Compatible FortiGate version: 6.0.4 or later

IP

IP address of the integrated device.

Port

Port number of the integrated device API service. Default is 443.

Username

Username of the integrated device.

Password

Password of the integrated device.

VDOM

For FortiGate devices, the default access VDOM.

Expiry

Default blocking time in second. Default is 3600 seconds.

FGT-WEBHOOK

Compatible FortiGate version: 6.4.0 or later

Block Action Expiry

Default blocking time in seconds. Default is 3600 seconds.

URL

Enter the request API URI.

Authorization

Enter the API key.

Unblock Action Expiry

Default blocking time in seconds. Default is 3600 seconds.

URL

Enter the request API URI.

Authorization

Enter the API key.

FNAC-WEBHOOK

Compatible FortiNAC version: 8.8.2.1714 or later.

IP:

IP address of the integrated device.

Port:

Port number of the integrated device API service. Default is 443.

Authorization Token:

The FortiNAC-WEBHOOK authorization token generated by FNAC.

Expiry:

Default blocking time in seconds. Default is 3600 seconds.

FortiEDR-Isolation

Compatible FortiEDR version: 5.0.2.305 or later.

IP

IP address of the integrated device.

Port

Port number of the integrated device API service. Default is 443.

Organization\Username

The FortiEDR organization and username.

Password

Password of the integrated device.

Expiry

Default blocking time in seconds. Default is 3600 seconds.

FSM-Watch-List
IP

IP address of the integrated device.

Port

Port number of the integrated device API service. Default is 443.

Username:

Username of the integrated device.

Password:

Password of the integrated device.

Organization

Type the organization name for the integration device.

Verify SSL

Enable to verify SSL.

Watch-List Name

Type Watch-List Name as defined in FortiSIEM.

Lure Users-Manual Mode

Type the other lures you want to watch.

Polling Time Interval

Default polling time in seconds. Default is 3600 seconds.

GEN-WEBHOOK

Compatible FortiNAC version: 8.8 or later (Firmware: 8.8.2.1714)

Block Action: Expiry

Default blocking time in seconds. Default is 3600 seconds.

Http Method

Select GET, POST, PUT, or PATCH

URL

Enter the request API URI.

Authorization

Enter the API key.

HTTP Header

Select Empty, Hacker-IP, Hacker-MAC, or Expiry-Time.

HTTP Data

Select Empty, Hacker-IP, Hacker-MAC, or Expiry-Time.

Unblock Action: Http Method

Select GET, POST, PUT, or PATCH

URL

Enter the request API URI.

Authorization

Enter the API key.

HTTP Header

Select Empty, Hacker-IP, Hacker-MAC, or Expiry-Time.

HTTP Data

Select Empty, Hacker-IP, Hacker-MAC, or Expiry-Time.

IR Collector
Domain

The device domain.

Username

Username of the integrated device.

Password

Password of the integrated device.

Limit

The number of collections per endpoint per 24 hour.

Microsoft-ATP
Server URL

Service base URI to connect and perform the automated operations. For example, https://api.securitycenter.microsoft.com.

Client ID

Client ID of the Azure application that is used to access Windows Defender ATP

Client Secret

Secret string that the application (used to access Windows Defender ATP) uses to prove its identity

Tenant ID

Tenant ID of the Azure application

Verify SSL

Enable to verify SSL.

Expiry

Default blocking time in seconds. Default is 3600 seconds.

PAN-XMLAPI

Compatible PAN-device version: 10.0.0 or later

Device IP IP address of the integrated device.
Port Port number of the integrated device API service. Default is 443.
Username Username of the integrated device.
Password Password of the integrated device.
Vsys The virtual system which is configured on PAN
Policy Index Select Top or Bottom.
Expiry Default blocking time in seconds. Default is 3600 seconds.
SentinelOne Isolation

Server URL

SentinelOne server URL.

API Token

The SentinelOne authorization token.

API Version

The version of the SentinelOne token.

Verify SSL

Enable to verify SSL.

Expiry

Default blocking time in seconds. Default is 3600 seconds.

Windows Network Isolation
Domain

The device domain.

Username

Username of the integrated device.

Password

Password of the integrated device.

Integrate Method settings

Integrate Method settings

A/D Connector Isolation

Hostname

IP address or Hostname of the Active Directory (AD) server.

Port

Port number used for connecting to the AD server.

Username

Valid AD service account with a minimum of account operators access.

Password

Password for your AD user.

Base DN

The base, or node from where the search should start.

All connector operations are carried out using the Base DN as a root to the AD organization tree. You can restrict the AD lookup by providing appropriate filters in this parameter.

Some examples are as follows:

DC=fdc,DC=com

OU=workstation,DC=fdc,DC=com

OU=Finance,OU=workstation,DC=fdc,DC=com

Bind DN

The fully distinguished name, which is used to bind to the AD server.

Use TLS

Specifies whether SSL and TLS. SSL is used by default.

Limit

The number of quarantine attackers per 24 hours.

Aruba ClearPass

Server URL

The Aruba ClearPass URL or IP address.

Client ID

Client ID of the Aruba ClearPass application which is used to access Aruba ClearPass.

Auth Type

Select Username/Password or Client Secret.

Username

If the Auth Type is Username/Password, enter the Aruba ClearPass username.

Password

If the Auth Type is Username/Password, enter the Aruba ClearPass password.

Client Secret

If the Auth Type is Client Secret, enter the Aruba ClearPass client secret.

Verify SSL

Enable to verify Secure Sockets Layer.

Expiry

Default blocking time in seconds. Default is 3600 seconds

AWS Keys

AWS Region

AWS region to access the AWS CloudTrail.

AWS Access Key ID

ID of the AWS Access Key to access AWS services.

AWS Secret Access Key

Key of the AWS Secret Access to access AWS services.

Verify SSL

Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True.

Azure Keys

Client ID

Also called Application ID;Unique ID of the Microsoft Entra application.

Client Secret

Client Secret of the Microsoft Entra application that is used to create an authentication token required to access the API.

Tenant ID

Tenant ID provided for your Microsoft Entra.

Verify SSL

Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True.

CheckPoint-FW-Isolation

Compatible CheckPoint version: R81 build392 or later

IP/URL

IP address or URL of the integrated device.

Port

Port number of the integrated device API service. Default is 443.

IP Block Policy(Network Group Name)

Enter the Network Group Name.

Username

Username of the integrated device.

Password

Password of the integrated device.

Verify SSL

Enable to verify Secure Sockets Layer.

Install Policy After Publish Enable to install the policy after it is published.
Cisco-ISE

Compatible Cisco ISE version: 2.7 or later.

Server URL/IP

The Cisco server URL and IP address.

Port

Port number of the integrated device API service. Default is 9060.

Username

Username of the integrated device.

Password

Password of the integrated device.

Verify SSL

Enable to verify SSL.

Expiry

Default blocking time in seconds. Default is 3600 seconds.

CrowdStrike-Isolation
Server URL

CrowdStrike server URL.

Client ID

Client ID of the Crowdstrike application which is used to access CrowdStrike isolation service.

Client Secret

Secret string of the Crowdstrike application which is used to access CrowdStrike isolation service.

Verify SSL

Enable to verify SSL.

Expiry

Default blocking time in seconds. Default is 3600 seconds.

FGT-REST-API

Compatible FortiGate version: 6.0.4 or later

IP

IP address of the integrated device.

Port

Port number of the integrated device API service. Default is 443.

Username

Username of the integrated device.

Password

Password of the integrated device.

VDOM

For FortiGate devices, the default access VDOM.

Expiry

Default blocking time in second. Default is 3600 seconds.

FGT-WEBHOOK

Compatible FortiGate version: 6.4.0 or later

Block Action Expiry

Default blocking time in seconds. Default is 3600 seconds.

URL

Enter the request API URI.

Authorization

Enter the API key.

Unblock Action Expiry

Default blocking time in seconds. Default is 3600 seconds.

URL

Enter the request API URI.

Authorization

Enter the API key.

FNAC-WEBHOOK

Compatible FortiNAC version: 8.8.2.1714 or later.

IP:

IP address of the integrated device.

Port:

Port number of the integrated device API service. Default is 443.

Authorization Token:

The FortiNAC-WEBHOOK authorization token generated by FNAC.

Expiry:

Default blocking time in seconds. Default is 3600 seconds.

FortiEDR-Isolation

Compatible FortiEDR version: 5.0.2.305 or later.

IP

IP address of the integrated device.

Port

Port number of the integrated device API service. Default is 443.

Organization\Username

The FortiEDR organization and username.

Password

Password of the integrated device.

Expiry

Default blocking time in seconds. Default is 3600 seconds.

FSM-Watch-List
IP

IP address of the integrated device.

Port

Port number of the integrated device API service. Default is 443.

Username:

Username of the integrated device.

Password:

Password of the integrated device.

Organization

Type the organization name for the integration device.

Verify SSL

Enable to verify SSL.

Watch-List Name

Type Watch-List Name as defined in FortiSIEM.

Lure Users-Manual Mode

Type the other lures you want to watch.

Polling Time Interval

Default polling time in seconds. Default is 3600 seconds.

GEN-WEBHOOK

Compatible FortiNAC version: 8.8 or later (Firmware: 8.8.2.1714)

Block Action: Expiry

Default blocking time in seconds. Default is 3600 seconds.

Http Method

Select GET, POST, PUT, or PATCH

URL

Enter the request API URI.

Authorization

Enter the API key.

HTTP Header

Select Empty, Hacker-IP, Hacker-MAC, or Expiry-Time.

HTTP Data

Select Empty, Hacker-IP, Hacker-MAC, or Expiry-Time.

Unblock Action: Http Method

Select GET, POST, PUT, or PATCH

URL

Enter the request API URI.

Authorization

Enter the API key.

HTTP Header

Select Empty, Hacker-IP, Hacker-MAC, or Expiry-Time.

HTTP Data

Select Empty, Hacker-IP, Hacker-MAC, or Expiry-Time.

IR Collector
Domain

The device domain.

Username

Username of the integrated device.

Password

Password of the integrated device.

Limit

The number of collections per endpoint per 24 hour.

Microsoft-ATP
Server URL

Service base URI to connect and perform the automated operations. For example, https://api.securitycenter.microsoft.com.

Client ID

Client ID of the Azure application that is used to access Windows Defender ATP

Client Secret

Secret string that the application (used to access Windows Defender ATP) uses to prove its identity

Tenant ID

Tenant ID of the Azure application

Verify SSL

Enable to verify SSL.

Expiry

Default blocking time in seconds. Default is 3600 seconds.

PAN-XMLAPI

Compatible PAN-device version: 10.0.0 or later

Device IP IP address of the integrated device.
Port Port number of the integrated device API service. Default is 443.
Username Username of the integrated device.
Password Password of the integrated device.
Vsys The virtual system which is configured on PAN
Policy Index Select Top or Bottom.
Expiry Default blocking time in seconds. Default is 3600 seconds.
SentinelOne Isolation

Server URL

SentinelOne server URL.

API Token

The SentinelOne authorization token.

API Version

The version of the SentinelOne token.

Verify SSL

Enable to verify SSL.

Expiry

Default blocking time in seconds. Default is 3600 seconds.

Windows Network Isolation
Domain

The device domain.

Username

Username of the integrated device.

Password

Password of the integrated device.