Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    User Guide

    25.4.0
    26.1.a
    26.1.0
    25.4.a
    25.4.0

    Fortinet Automation Service

    Fortinet Automation Service

    The Fortinet Automation Service integration streamlines and automates security operations within FortiNDR Cloud. This service enables security teams to execute predefined playbooks that perform specific actions based on connector configurations and conditional logic. A playbook can range from a simple API call to a complex, multi-step process involving several queries. Users can trigger playbooks without needing to understand the underlying logic, allowing them to focus on the intended outcome rather than the implementation details. This service enhances operational efficiency by simplifying tasks such as isolating devices, retrieving deployment network details, and executing other automated actions.

    FortiNDR Essentials Solution Pack

    The FortiNDR Essentials Solution Pack provides a set of automation playbooks that simplify incident response and security operations across multiple connectors. It connects with Fortinet products to perform common tasks automatically. These tasks include retrieving endpoint and agent details, isolating or restoring network connectivity for compromised systems, and managing IP blocks on firewalls.

    The latest version of the service pack is downloaded to your account when the automation service is provisioned. Service pack updates must be applied manually. To view the contents of the latest solution pack, see Solution pack versions.

    Note

    The Fortinet Automation Service is based on the FortSOAR platform. Fortinet will regularly release solution packs that include updated connectors and new playbooks.

    To request any new connectors and actions, please contact your designated TSM or log a support ticket.

    Getting started with the Fortinet Automation Service

    Follow these steps to begin using the Fortinet Automation Service:

    Task

    Description
    Provision the service

    Contact your TSM to provision the service.

    Install the Local Agent (if needed)

    Only one agent is needed for all integrations within the same network.
    Configure the connectors Set up the connectors you intend to use.
    Run the playbooks Once the connectors are configured, related playbooks will appear in the Entity Panel.

    Provisioning the service

    When the Fortinet Automation Service is provisioned, the FortiNDR Essentials Solution Pack is installed automatically. This service pack contains both connectors and playbooks.

    Log into the FortiNDR Cloud portal and go to Account Management > Modules. The Fortinet Automation Service module will appear near the top of the page.

    If you have purchased the module but do not see it listed, please contact your account team or TSM.

    Installing the agent

    The Fortinet Automation Service agent is a lightweight software component deployed within your environment. Its primary role is to facilitate secure communication between FortiNDR Cloud and the target systems or infrastructure. Agents execute playbook actions locally, such as running scripts, collecting data, or interacting with third-party tools, based on instructions received from the automation service. This allows for real-time automation while maintaining control and visibility within your network.

    Only one agent is needed for all integrations within the same network.

    • If you plan to use on-premise integrations, install the local agent.

    • Cloud-only integrations do not require a local agent; they use a Cloud agent.

    Connector

    Agent Required

    FortiClientEMS

    Yes
    FortiDeceptor

    Yes
    FortiEDR

    Yes

    Recommended resource requirements

    • 1 GB RAM
    • 1 vCPU
    • 16 GB of available disk space
    • Rocky Linux 9.3/9.4/9.5 or Red Hat Enterprise Linux (RHEL) Server 9.3/9.4/9.5.

    Agent requirements

    • Ensure that repo.fortisoar.fortinet.com is reachable or resolvable from the VM where you plan to install the agent.
    • Ensure that the device where you plan to install the agent has outbound access to FortiNDR Cloud on ports 443 and 5671.
    • Ensure connectivity to the RabbitMQ server.
    To install the automation service agent:
    1. Click the gear icon at the top-right of the portal and select Account Management.
    2. Click Modules. The Modules page opens.
    3. In the Fortinet Automation Service module, click Configure.
    4. Click the Agents tab.
    5. On the Agents page, click Create New agent.
    6. Click Download Installer.

    7. Choose the connectors you want to include while installing the Agent. You can choose from the following options:
      • Do not install connectors by default
      • Custom
      • All connectors installed on the current node
      • Include pre-existing connectors on agent
    8. Set the Installer type to Bash Script.
    9. Copy the downloaded installer script on the Agent device.
    10. Run the installer script to install the Agent.

    Troubleshooting agent installation

    Incorrect installed connector list displayed after reconfiguring the Agent on a new VM

    When reconfiguring an existing Agent on a new device, the connector list from the previous agent may incorrectly be displayed on the new Agent. This occurs when the Do not install connector by default option is selected during reconfiguration.

    Resolution

    To resolve this, select the Include pre-existing connectors on Agent option when reconfiguring the agent on the new VM.

    Installing and configuring connectors

    A connector allows the FortiNDR Cloud to interact with external systems, applications, or endpoints. It executes specific actions such as data collection, enrichment, or remediation as part of automated workflows that are triggered by playbooks and depend on network connectivity to the target systems.

    To install and configure a connector:
    1. Click the gear icon at the top-right of the portal and select Account Management.
    2. Click Modules.
    3. In the Fortinet Security Automation Service module, click Configure.

    4. In the Content Hub tab, click the connector that you want to install.

    5. In the Connector pop-up, click Install.

    6. In the Confirmation dialog, click Yes, Confirm. If successful, a confirmation message appears and the Configuration(s) tab opens.
    7. Configure the required fields for the connector and click Save. NOTE: Ensure that Mark as default configuration is selected.

    Tooltip

    For detailed information to configure the connector, click the Documentation button.

    Running playbooks

    Playbooks are executed from the Entity Panel. When the Fortinet Automation Service is enabled, a link and a corresponding tab will appear in the Entity Panel, allowing you to access and execute playbooks.

    The following playbooks are available:

    Connector

    Playbook

    Description

    FortiClientEMS

    Get Endpoint Details via FortiClient

    Show information the FortiClientEMS has on the endpoint, including user information, security posture and configuration.

    Quarantine Endpoint via FortiClient

    Block all network traffic to or from the endpoint via FortiClientEMS.

    Unquarantine Endpoints via FortiClient

    Restore network connectivity to and from the endpoint via FortiClientEMS.
    FortiDeceptor Show All FortiDeceptor Decoys

    Get details on all decoys from FortiDeceptor.
    FortiEDR

    		 Get Collector Details from FortiEDR

    Get Collector details from FortiEDR including user details, discovered assets and vulnerabilities.
    Unisolate Collector via FortiEDR

    Restore normal network connectivity for the endpoint using FortiEDR.

    Isolate Collector via FortiEDR

    Restrict the endpoint from accessing the internet via FortiEDR.

    To run a playbook:

    1. Open the Entity Panel by doing one of the following:

      • Click any entity (such as an IP address) anywhere in the portal.
      • Click an IP address in the detector details tabs.
      • Click View Device Details in the Actions menu.
      • Click a device IP in the High Risk Devices dashboard widget.
      • Click the IP label on the Detections Device Timeline.
    2. In the Entity Panel, click the Fortinet Automation Service link or tab. The Playbook List opens.
      • For information about the playbook, hover over the information icon (i).
      • Click the View icons to view the playbooks as a list or categories.
      • Enter a keyword in the Search field to find a playbook by name.
      • Click the filter icon to filter based on a tag.
      Tooltip

      Open the Entity Panel by doing one of the following:

    3. Hover over the playbook and click Execute Playbook.

    After the playbook is executed the results are displayed.

    Enable Canvas View to visualize playbook actions as a topology.

    Solution pack versions

    Solution Pack Version Connectors and Playbooks
    1.0.0 FortiClientEMS, FortiEDR, FortiDeceptor
    Previous
    Next

    Fortinet Automation Service

    Fortinet Automation Service

    The Fortinet Automation Service integration streamlines and automates security operations within FortiNDR Cloud. This service enables security teams to execute predefined playbooks that perform specific actions based on connector configurations and conditional logic. A playbook can range from a simple API call to a complex, multi-step process involving several queries. Users can trigger playbooks without needing to understand the underlying logic, allowing them to focus on the intended outcome rather than the implementation details. This service enhances operational efficiency by simplifying tasks such as isolating devices, retrieving deployment network details, and executing other automated actions.

    FortiNDR Essentials Solution Pack

    The FortiNDR Essentials Solution Pack provides a set of automation playbooks that simplify incident response and security operations across multiple connectors. It connects with Fortinet products to perform common tasks automatically. These tasks include retrieving endpoint and agent details, isolating or restoring network connectivity for compromised systems, and managing IP blocks on firewalls.

    The latest version of the service pack is downloaded to your account when the automation service is provisioned. Service pack updates must be applied manually. To view the contents of the latest solution pack, see Solution pack versions.

    Note

    The Fortinet Automation Service is based on the FortSOAR platform. Fortinet will regularly release solution packs that include updated connectors and new playbooks.

    To request any new connectors and actions, please contact your designated TSM or log a support ticket.

    Getting started with the Fortinet Automation Service

    Follow these steps to begin using the Fortinet Automation Service:

    Task

    Description
    Provision the service

    Contact your TSM to provision the service.

    Install the Local Agent (if needed)

    Only one agent is needed for all integrations within the same network.
    Configure the connectors Set up the connectors you intend to use.
    Run the playbooks Once the connectors are configured, related playbooks will appear in the Entity Panel.

    Provisioning the service

    When the Fortinet Automation Service is provisioned, the FortiNDR Essentials Solution Pack is installed automatically. This service pack contains both connectors and playbooks.

    Log into the FortiNDR Cloud portal and go to Account Management > Modules. The Fortinet Automation Service module will appear near the top of the page.

    If you have purchased the module but do not see it listed, please contact your account team or TSM.

    Installing the agent

    The Fortinet Automation Service agent is a lightweight software component deployed within your environment. Its primary role is to facilitate secure communication between FortiNDR Cloud and the target systems or infrastructure. Agents execute playbook actions locally, such as running scripts, collecting data, or interacting with third-party tools, based on instructions received from the automation service. This allows for real-time automation while maintaining control and visibility within your network.

    Only one agent is needed for all integrations within the same network.

    • If you plan to use on-premise integrations, install the local agent.

    • Cloud-only integrations do not require a local agent; they use a Cloud agent.

    Connector

    Agent Required

    FortiClientEMS

    Yes
    FortiDeceptor

    Yes
    FortiEDR

    Yes

    Recommended resource requirements

    • 1 GB RAM
    • 1 vCPU
    • 16 GB of available disk space
    • Rocky Linux 9.3/9.4/9.5 or Red Hat Enterprise Linux (RHEL) Server 9.3/9.4/9.5.

    Agent requirements

    • Ensure that repo.fortisoar.fortinet.com is reachable or resolvable from the VM where you plan to install the agent.
    • Ensure that the device where you plan to install the agent has outbound access to FortiNDR Cloud on ports 443 and 5671.
    • Ensure connectivity to the RabbitMQ server.
    To install the automation service agent:
    1. Click the gear icon at the top-right of the portal and select Account Management.
    2. Click Modules. The Modules page opens.
    3. In the Fortinet Automation Service module, click Configure.
    4. Click the Agents tab.
    5. On the Agents page, click Create New agent.
    6. Click Download Installer.

    7. Choose the connectors you want to include while installing the Agent. You can choose from the following options:
      • Do not install connectors by default
      • Custom
      • All connectors installed on the current node
      • Include pre-existing connectors on agent
    8. Set the Installer type to Bash Script.
    9. Copy the downloaded installer script on the Agent device.
    10. Run the installer script to install the Agent.

    Troubleshooting agent installation

    Incorrect installed connector list displayed after reconfiguring the Agent on a new VM

    When reconfiguring an existing Agent on a new device, the connector list from the previous agent may incorrectly be displayed on the new Agent. This occurs when the Do not install connector by default option is selected during reconfiguration.

    Resolution

    To resolve this, select the Include pre-existing connectors on Agent option when reconfiguring the agent on the new VM.

    Installing and configuring connectors

    A connector allows the FortiNDR Cloud to interact with external systems, applications, or endpoints. It executes specific actions such as data collection, enrichment, or remediation as part of automated workflows that are triggered by playbooks and depend on network connectivity to the target systems.

    To install and configure a connector:
    1. Click the gear icon at the top-right of the portal and select Account Management.
    2. Click Modules.
    3. In the Fortinet Security Automation Service module, click Configure.

    4. In the Content Hub tab, click the connector that you want to install.

    5. In the Connector pop-up, click Install.

    6. In the Confirmation dialog, click Yes, Confirm. If successful, a confirmation message appears and the Configuration(s) tab opens.
    7. Configure the required fields for the connector and click Save. NOTE: Ensure that Mark as default configuration is selected.

    Tooltip

    For detailed information to configure the connector, click the Documentation button.

    Running playbooks

    Playbooks are executed from the Entity Panel. When the Fortinet Automation Service is enabled, a link and a corresponding tab will appear in the Entity Panel, allowing you to access and execute playbooks.

    The following playbooks are available:

    Connector

    Playbook

    Description

    FortiClientEMS

    Get Endpoint Details via FortiClient

    Show information the FortiClientEMS has on the endpoint, including user information, security posture and configuration.

    Quarantine Endpoint via FortiClient

    Block all network traffic to or from the endpoint via FortiClientEMS.

    Unquarantine Endpoints via FortiClient

    Restore network connectivity to and from the endpoint via FortiClientEMS.
    FortiDeceptor Show All FortiDeceptor Decoys

    Get details on all decoys from FortiDeceptor.
    FortiEDR

    		 Get Collector Details from FortiEDR

    Get Collector details from FortiEDR including user details, discovered assets and vulnerabilities.
    Unisolate Collector via FortiEDR

    Restore normal network connectivity for the endpoint using FortiEDR.

    Isolate Collector via FortiEDR

    Restrict the endpoint from accessing the internet via FortiEDR.

    To run a playbook:

    1. Open the Entity Panel by doing one of the following:

      • Click any entity (such as an IP address) anywhere in the portal.
      • Click an IP address in the detector details tabs.
      • Click View Device Details in the Actions menu.
      • Click a device IP in the High Risk Devices dashboard widget.
      • Click the IP label on the Detections Device Timeline.
    2. In the Entity Panel, click the Fortinet Automation Service link or tab. The Playbook List opens.
      • For information about the playbook, hover over the information icon (i).
      • Click the View icons to view the playbooks as a list or categories.
      • Enter a keyword in the Search field to find a playbook by name.
      • Click the filter icon to filter based on a tag.
      Tooltip

      Open the Entity Panel by doing one of the following:

    3. Hover over the playbook and click Execute Playbook.

    After the playbook is executed the results are displayed.

    Enable Canvas View to visualize playbook actions as a topology.

    Solution pack versions

    Solution Pack Version Connectors and Playbooks
    1.0.0 FortiClientEMS, FortiEDR, FortiDeceptor
    Previous
    Next