Network Access Control (NAC) integration
When a Network Access Control connector such as FortiNAC is set and Playbook policies are configured, automatic incident response actions can include isolating a device by a NAC system upon security event triggering.
Before you start NAC configuration, make sure that:
- Your FortiEDR deployment includes a Jumpbox that has connectivity to the NAC server.
Details about how to install a FortiEDR Core and configure it as a Jumpbox are described in Setting up the FortiEDR Core. You may refer to Cores for more information about configuring a Jumpbox.
- The FortiEDR Central Manager has connectivity to the Fortinet Cloud Services (FCS). To verify this, make sure that FCS is in running state (Green) in the System Components chart in the Dashboard.
- You have a valid API user with access to FortiNAC or equivalent network access control system.
Follow the steps below in order to automatically isolate a device by NAC upon the detection of a FortiEDR security event. The example below describes how to define an API user on FortiNAC in order to enable FortiEDR to perform automatic device isolation after a FortiEDR security event.
Make sure to add FortiEDR domains and/or IP addresses to the exclusion list on the VLAN that is being used for isolation on the FortiNAC system such that the FortiEDR Collector would still be able to communicate with its servers when the device is being isolated. |
FortiEDR Connector configuration
To configure NAC integration:
- Click the Add Connector button and select NAC in the Connectors dropdown list. The following displays:
- Fill in the following fields:
Field
Definition
Jumpbox Select the FortiEDR Jumpbox that will communicate with this NAC system. Name Specify a name of your choice which will be used to identify this NAC system. Type Select the type of NAC to be used in the dropdown list, for example: FortiNAC. Host Specify the IP or DNS address of the external NAC system. Port Specify the port that is used for communication with the external NAC system. API Key Specify authentication details of the external NAC system. To use an API token, click the API Key radio button and copy the token value into the text box. To use API credentials, click the Credentials radio button and fill in the external NAC system API username and password.
-
3 In the Actions area on the right, define the action to be taken by this connector.
You have the option to either use an action provided out-of-the-box with FortiEDR (for example, Isolate Device on NAC)
– OR –
To create or select one of the Custom Integration actions (if one or more have already been defined in FortiEDR, as described in Custom integration.
- To trigger an action on a custom connected third-party system, click the + Add Action button to display the following popup window:
- In the Action dropdown menu, select one of the previously defined actions (which were defined in FortiEDR as described in Custom integration).
- OR -
- Click the Create New Action button in this popup window to define a new action that can be triggered according to the definitions in the Playbook, as described below. The following displays:
Fill out the fields of this window as follows in order to define a new action to be triggered in response to an incident.
In order to trigger this action, a Playbook policy must be defined that triggers this action to execute the script when a security event is triggered. The definition of this new action here automatically adds this action as an option in a Playbook policy. This action however, is not selected by default in the Playbook policy. Therefore, you must go to the Playbook policy and select it in order for it to be triggered when a security event is triggered.
Field
Definition
Name Enter any name for this action Description Enter a description of this action Upload Upload a Python script that calls an API from the third-party system in order to perform the relevant action. Python 2.7 or later is supported. This Python script must be created according to the coding conventions that can be displayed by clicking the icon next to the Action Scripts field. The following displays providing an explanation of these coding conventions and provides various links that you can click to see more detail and/or to download sample files.
- Click Save. The new action is then listed in the Actions area.
- You can click the Test button next to an action to execute that action.
Playbooks configuration
To configure an automated incident response that uses a NAC connector to isolate a device upon security event triggering:
- Navigate to the SECURITY SETTINGS > Playbooks page.
- Open the Playbook policy that is applied on devices for which you want the isolation response to apply and place a checkmark in the relevant Classification column next to the Isolate device with NAC row that is under the INVESTIGATION section.
FortiEDR is now configured to automatically isolate the device upon triggering of a security event. Automatic incident response actions are listed in the CLASSIFICATION DETAILS area of the Events page of the FortiEDR Console as shown below:
Note that isolation by NAC will only be done for devices that are managed on the specified NAC.
To configure an automated incident response that uses a NAC connector to perform a custom action upon the triggering of a security event:
- Navigate to the SECURITY SETTINGS > Playbooks page.
- Open the Playbook policy that is applied on devices for which you want the custom action (defined above) to apply.
- In the CUSTOM section, place a checkmark in the relevant Classification columns next to the row of the relevant custom action.
- In the dropdown menu next to the relevant custom action, select the relevant NAC connector with which to perform the action, as shown below:
FortiEDR is now configured to trigger this action in the third-party system upon the triggering of a security event. This automatic incident response action appears in the CLASSIFICATION DETAILS area of the Events page of the FortiEDR Console.