Integrate Watch Lists into FortiGate

There are two steps to this process:

1. Identify the endpoint API that FortiGate will connect to.

2. Configure the Security Fabric Threat Feed Integration

An example integration of configuring FortiGate to pull events from the “External Fabric Threats” watchlist is provided here.

1. In the FortiGate, navigate to Security Fabric > External Connectors.

2. Click Create New.

3. Under the Threat Feeds section, select IP Address.

4. Input the fields for the IP Address Threat Feed

   1. In the Name field, enter a name, for example "FSM_Threat_Feed".
      Note: It must begin with “g-“ if the FortiGate is in multi-vdom mode, for example "g-FSM_Threat_Feed".

   2. Set Update method to External Feed. This method pulls the updates from the external feed at a configured interval.

   3. Enter the appropriate URL for one of the watchlist groups (External Fabric Threats or Fabric Threats), in the format of:

      • https://<ip of FortiSIEM>:<port>/phoenix/rest/watchlist/ip?name=External%20Fabric%20Threats
        

        OR
        

      • https://<ip of FortiSIEM>:<port>/phoenix/rest/watchlist/ip?name=Fabric%20Threats

   4. Enable HTTP basic authentication.

   5. In the Username field, enter “super/<username>”. In the Password field, enter the password associated with the account.
      

      Note: If using a multi-tenant version of FortiSIEM you can change the org “super” for the organization name that you need to integrate with.

   6. (Optional) In the Refresh Rate field, increase/decrease the refresh rate as needed.

   7. Click OK.
      

      
      

5. Once created, double-click on the new feed on the list page to open the Threat feed once again. On the right gutter area, Connection Status should now display a green arrow. Click on View Entries to display the entries received from FortiSIEM.