FortiGuard security services protect against known and unknown threats, zero-day exploits, malware, and malicious websites. FortiGuard Labs provide continuous threat intelligence, dynamic analysis for detection, and automated mitigation to keep your network protected from advanced cyber attacks.
This document provides information about the FortiGate Firewall connector, which facilitates automated interactions, with a FortiGate Firewall server using FortiSOAR™ playbooks. Add the FortiGate Firewall connector as a step in FortiSOAR™ playbooks and perform automated operations, such as blocking or unblocking IP addresses, URLs, or applications, or retrieving a list of blocked IP addresses, URLs, or applications from the FortiGate Firewall server.
Connector Version: 1.0.0
Compatibility with FortiSOAR™ Versions: 4.10.2-225 and later
Compatibility with FortiGate Firewall Versions: v5.6.3 and later
For the procedure to install a connector, click here.
Log on to the FortiGate Firewall server with the necessary credentials.
To block or unblock an IP address, you must create a policy for IP addresses on the Fortigate Firewall server. Following steps define the process of adding a policy:
Policy & Objects
, click IPv4 Policy to create a policy for IPv4 with following conditions.IP Block Policy
configuration parameter.To block or unblock a URL, you must create a profile for blocking or unblocking static URLs on the Fortigate Firewall server. Following steps define the process of adding a policy:
In Security Profiles
, click Web Filter to create a new profile for blocking or unblocking static urls or use the default profile.
Enter the policy name in the configuration page. For our example, we have named this as default. When you are configuring your FortiGate Firewall connector in FortiSOAR™, you must use the policy name that you have specified in this step as your URL Block Policy
configuration parameter.
To block or unblock an application, you must create a profile for blocking or unblocking applications on the Fortigate Firewall server. Following steps define the process of adding a policy:
In Security Profiles
, click Application Control to create a new profile for blocking or unblocking applications or use the default profile.
Enter the policy name in the configuration page. For our example, we have named this as default. When you are configuring your FortiGate Firewall connector in FortiSOAR™, you must use the policy name that you have specified in this step as your Application Block Policy
configuration parameter.
As you can see in the above screenshot, for our example we have blocked two applications.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the FortiGate Firewall connector to configure the following parameters:
Parameter | Description |
---|---|
Server Address | IP address or Hostname of the FortiGate Firewall endpoint server to which you will connect and perform the automated operations. |
Port | Port number used for connecting to the FortiGate Firewall server. Defaults to 443. |
Username | Username to access the FortiGate Firewall server to which you will connect and perform the automated operations. |
Password | Password to access the FortiGate Firewall server to which you will connect and perform the automated operations. |
IP Block Policy | Name of the IPv4 Policy that you have specified in FortiGate Firewall for blocking or unblocking IP addresses. Based on our example, enter Cybersponse_Blocked_Policy in this field. See the Blocking or Unblocking IP addresses, URLs, or applications in FortiGate Firewall section. |
URL Block Policy | Name of the URL Policy that you have specified in FortiGate Firewall for blocking or unblocking IP addresses. Based on our example, enter default in this field. See the Blocking or Unblocking IP addresses, URLs, or applications in FortiGate Firewall section. |
Application Block Policy | Name of the Application Policy that you have specified in FortiGate Firewall for blocking or unblocking IP addresses. Based on our example, enter default in this field.See the Blocking or Unblocking IP addresses, URLs, or applications in FortiGate Firewall section. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Validate Configuration Policies | Checks whether the policies that you have mentioned in the Configuration parameters section are valid or not. | validate_policies Investigation |
Get List of Policies | Retrieves a list and details for all policies that are configured on FortiGate Firewall from the FortiGate Firewall server. | get_policies Investigation |
Get Applications Detail | Retrieves a list of all application names and associated details from the FortiGate Firewall server. | get_app_details Investigation |
Block URLs | Blocks URLs on FortiGate Firewall using the URL Block Policy that you have specified while configuring the FortiGate Firewall connector. See the Configuration parameters section. |
block_url Containment |
Unblock URLs | Unblocks URLs on FortiGate Firewall using the URL Block Policy that you have specified while configuring the FortiGate Firewall connector. See the Configuration parameters section. |
unblock_url Remediation |
Block IP Address | Blocks IP addresses on FortiGate Firewall using the IP Block Policy that you have specified while configuring the FortiGate Firewall connector. See the Configuration parameters section. |
block_ip Containment |
Unblock IP Address | Unblocks IP addresses on FortiGate Firewall using the IP Block Policy that you have specified while configuring the FortiGate Firewall connector. See the Configuration parameters section. |
unblock_ip Remediation |
Block Application | Blocks applications on FortiGate Firewall using the Application Block Policy that you have specified while configuring the FortiGate Firewall connector. See the Configuration parameters section. |
block_app Containment |
Unblock Application | Unblocks applications on FortiGate Firewall using the Application Block Policy that you have specified while configuring the FortiGate Firewall connector. See the Configuration parameters section. |
unblock_app Remediation |
Get Blocked URLs | Retrieves a list of URLs that are blocked on FortiGate Firewall. | get_blocked_url Investigation |
Get Blocked IP Addresses | Retrieves a list of IP Addresses that are blocked on FortiGate Firewall. | get_blocked_ip Investigation |
Get Blocked Applications | Retrieves a list of application names that are blocked on FortiGate Firewall. | get_blocked_app Investigation |
None.
The JSON output contains a status message of whether the policies mentioned in the Configuration parameters section are valid or not.
Following image displays a sample output:
None.
The JSON output retrieves a list and details for all policies that are configured on FortiGate Firewall, from the FortiGate Firewall server.
Following image displays a sample output:
None.
The JSON output retrieves a list of all application names and associated details from the FortiGate Firewall server.
Following image displays a sample output:
Parameter | Description |
---|---|
URL | URL that you want to block on FortiGate Firewall. |
The JSON output contains a status message of whether or not the URL is successfully blocked on FortiGate Firewall.
Following image displays a sample output:
Parameter | Description |
---|---|
URL | URL that you want to unblock on FortiGate Firewall. |
The JSON output contains a status message of whether or not the URL is successfully unblocked on FortiGate Firewall.
Following image displays a sample output:
Parameter | Description |
---|---|
IP Address | IP Address that you want to block on FortiGate Firewall. |
The JSON output contains a status message of whether or not the IP Address is successfully blocked on FortiGate Firewall.
Following image displays a sample output:
Parameter | Description |
---|---|
IP Address | IP Address that you want to unblock on FortiGate Firewall. |
The JSON output contains a status message of whether or not the IP Address is successfully unblocked on FortiGate Firewall.
Following image displays a sample output:
Parameter | Description |
---|---|
Application Names (In CSV or List Format) | List of application names that you want to block on FortiGate Firewall. Application names must be in the list format if you want to block more than one application. For example, for a list of applications enter ["Application_Name1", "Application_Name2"] in this field.For a single application enter Application_Name . |
The JSON output contains a status message of whether or not the application(s) are successfully blocked on FortiGate Firewall.
Following image displays a sample output:
Parameter | Description |
---|---|
Application Name List | List of application names that you want to block on FortiGate Firewall. Application names must be in the list format if you want to unblock more than one application. For example, for a list of applications enter ["Application_Name1", "Application_Name2"] in this field.For a single application enter Application_Name . |
The JSON output contains a status message of whether or not the application(s) are successfully unblocked on FortiGate Firewall.
Following image displays a sample output:
None.
The JSON output retrieves a list of URLs that are blocked using the URL Block Policy that you have configured.
Following image displays a sample output:
None.
The JSON output retrieves a list of IP Addresses that are blocked using the IP Block Policy that you have configured.
Following image displays a sample output:
None.
The JSON output retrieves a list of application names that are blocked using the Application Block Policy that you have configured.
Following image displays a sample output:
The Sample - FortiGate-Firewall - 1.0.0
playbook collection comes bundled with the FortiGate Firewall connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the FortiGate Firewall connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
FortiGuard security services protect against known and unknown threats, zero-day exploits, malware, and malicious websites. FortiGuard Labs provide continuous threat intelligence, dynamic analysis for detection, and automated mitigation to keep your network protected from advanced cyber attacks.
This document provides information about the FortiGate Firewall connector, which facilitates automated interactions, with a FortiGate Firewall server using FortiSOAR™ playbooks. Add the FortiGate Firewall connector as a step in FortiSOAR™ playbooks and perform automated operations, such as blocking or unblocking IP addresses, URLs, or applications, or retrieving a list of blocked IP addresses, URLs, or applications from the FortiGate Firewall server.
Connector Version: 1.0.0
Compatibility with FortiSOAR™ Versions: 4.10.2-225 and later
Compatibility with FortiGate Firewall Versions: v5.6.3 and later
For the procedure to install a connector, click here.
Log on to the FortiGate Firewall server with the necessary credentials.
To block or unblock an IP address, you must create a policy for IP addresses on the Fortigate Firewall server. Following steps define the process of adding a policy:
Policy & Objects
, click IPv4 Policy to create a policy for IPv4 with following conditions.IP Block Policy
configuration parameter.To block or unblock a URL, you must create a profile for blocking or unblocking static URLs on the Fortigate Firewall server. Following steps define the process of adding a policy:
In Security Profiles
, click Web Filter to create a new profile for blocking or unblocking static urls or use the default profile.
Enter the policy name in the configuration page. For our example, we have named this as default. When you are configuring your FortiGate Firewall connector in FortiSOAR™, you must use the policy name that you have specified in this step as your URL Block Policy
configuration parameter.
To block or unblock an application, you must create a profile for blocking or unblocking applications on the Fortigate Firewall server. Following steps define the process of adding a policy:
In Security Profiles
, click Application Control to create a new profile for blocking or unblocking applications or use the default profile.
Enter the policy name in the configuration page. For our example, we have named this as default. When you are configuring your FortiGate Firewall connector in FortiSOAR™, you must use the policy name that you have specified in this step as your Application Block Policy
configuration parameter.
As you can see in the above screenshot, for our example we have blocked two applications.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the FortiGate Firewall connector to configure the following parameters:
Parameter | Description |
---|---|
Server Address | IP address or Hostname of the FortiGate Firewall endpoint server to which you will connect and perform the automated operations. |
Port | Port number used for connecting to the FortiGate Firewall server. Defaults to 443. |
Username | Username to access the FortiGate Firewall server to which you will connect and perform the automated operations. |
Password | Password to access the FortiGate Firewall server to which you will connect and perform the automated operations. |
IP Block Policy | Name of the IPv4 Policy that you have specified in FortiGate Firewall for blocking or unblocking IP addresses. Based on our example, enter Cybersponse_Blocked_Policy in this field. See the Blocking or Unblocking IP addresses, URLs, or applications in FortiGate Firewall section. |
URL Block Policy | Name of the URL Policy that you have specified in FortiGate Firewall for blocking or unblocking IP addresses. Based on our example, enter default in this field. See the Blocking or Unblocking IP addresses, URLs, or applications in FortiGate Firewall section. |
Application Block Policy | Name of the Application Policy that you have specified in FortiGate Firewall for blocking or unblocking IP addresses. Based on our example, enter default in this field.See the Blocking or Unblocking IP addresses, URLs, or applications in FortiGate Firewall section. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Validate Configuration Policies | Checks whether the policies that you have mentioned in the Configuration parameters section are valid or not. | validate_policies Investigation |
Get List of Policies | Retrieves a list and details for all policies that are configured on FortiGate Firewall from the FortiGate Firewall server. | get_policies Investigation |
Get Applications Detail | Retrieves a list of all application names and associated details from the FortiGate Firewall server. | get_app_details Investigation |
Block URLs | Blocks URLs on FortiGate Firewall using the URL Block Policy that you have specified while configuring the FortiGate Firewall connector. See the Configuration parameters section. |
block_url Containment |
Unblock URLs | Unblocks URLs on FortiGate Firewall using the URL Block Policy that you have specified while configuring the FortiGate Firewall connector. See the Configuration parameters section. |
unblock_url Remediation |
Block IP Address | Blocks IP addresses on FortiGate Firewall using the IP Block Policy that you have specified while configuring the FortiGate Firewall connector. See the Configuration parameters section. |
block_ip Containment |
Unblock IP Address | Unblocks IP addresses on FortiGate Firewall using the IP Block Policy that you have specified while configuring the FortiGate Firewall connector. See the Configuration parameters section. |
unblock_ip Remediation |
Block Application | Blocks applications on FortiGate Firewall using the Application Block Policy that you have specified while configuring the FortiGate Firewall connector. See the Configuration parameters section. |
block_app Containment |
Unblock Application | Unblocks applications on FortiGate Firewall using the Application Block Policy that you have specified while configuring the FortiGate Firewall connector. See the Configuration parameters section. |
unblock_app Remediation |
Get Blocked URLs | Retrieves a list of URLs that are blocked on FortiGate Firewall. | get_blocked_url Investigation |
Get Blocked IP Addresses | Retrieves a list of IP Addresses that are blocked on FortiGate Firewall. | get_blocked_ip Investigation |
Get Blocked Applications | Retrieves a list of application names that are blocked on FortiGate Firewall. | get_blocked_app Investigation |
None.
The JSON output contains a status message of whether the policies mentioned in the Configuration parameters section are valid or not.
Following image displays a sample output:
None.
The JSON output retrieves a list and details for all policies that are configured on FortiGate Firewall, from the FortiGate Firewall server.
Following image displays a sample output:
None.
The JSON output retrieves a list of all application names and associated details from the FortiGate Firewall server.
Following image displays a sample output:
Parameter | Description |
---|---|
URL | URL that you want to block on FortiGate Firewall. |
The JSON output contains a status message of whether or not the URL is successfully blocked on FortiGate Firewall.
Following image displays a sample output:
Parameter | Description |
---|---|
URL | URL that you want to unblock on FortiGate Firewall. |
The JSON output contains a status message of whether or not the URL is successfully unblocked on FortiGate Firewall.
Following image displays a sample output:
Parameter | Description |
---|---|
IP Address | IP Address that you want to block on FortiGate Firewall. |
The JSON output contains a status message of whether or not the IP Address is successfully blocked on FortiGate Firewall.
Following image displays a sample output:
Parameter | Description |
---|---|
IP Address | IP Address that you want to unblock on FortiGate Firewall. |
The JSON output contains a status message of whether or not the IP Address is successfully unblocked on FortiGate Firewall.
Following image displays a sample output:
Parameter | Description |
---|---|
Application Names (In CSV or List Format) | List of application names that you want to block on FortiGate Firewall. Application names must be in the list format if you want to block more than one application. For example, for a list of applications enter ["Application_Name1", "Application_Name2"] in this field.For a single application enter Application_Name . |
The JSON output contains a status message of whether or not the application(s) are successfully blocked on FortiGate Firewall.
Following image displays a sample output:
Parameter | Description |
---|---|
Application Name List | List of application names that you want to block on FortiGate Firewall. Application names must be in the list format if you want to unblock more than one application. For example, for a list of applications enter ["Application_Name1", "Application_Name2"] in this field.For a single application enter Application_Name . |
The JSON output contains a status message of whether or not the application(s) are successfully unblocked on FortiGate Firewall.
Following image displays a sample output:
None.
The JSON output retrieves a list of URLs that are blocked using the URL Block Policy that you have configured.
Following image displays a sample output:
None.
The JSON output retrieves a list of IP Addresses that are blocked using the IP Block Policy that you have configured.
Following image displays a sample output:
None.
The JSON output retrieves a list of application names that are blocked using the Application Block Policy that you have configured.
Following image displays a sample output:
The Sample - FortiGate-Firewall - 1.0.0
playbook collection comes bundled with the FortiGate Firewall connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the FortiGate Firewall connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.