About the connector
FortiOS is the Fortinet's network security operating system. It expands the Security Fabric to provide broad visibility and control, more powerful performance, and more efficient operations to quickly identify and resolve security issues.
This document provides information about the FortiOS connector, which facilitates automated interactions, with a FortiOS server using FortiSOAR™ playbooks. Add the FortiOS connector as a step in FortiSOAR™ playbooks and perform automated operations such as, blocking and unblocking IP addresses, retrieving a list of IP addresses that are blocked on FortiOS, and executing a command on a remote FortiOS server.
Version information
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 4.12.1-253
FortiOS Version Tested on: v5.4.0 and v5.6.0
Authored By: Fortinet
Certified: Yes
Installing the connector
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:
yum install cyops-connector-fortios
For the detailed procedure to install a connector, click here.
Prerequisites to configuring the connector
- You must have the Hostname or the IP address of the FortiOS server to which you will connect and perform the automated operations and the credentials, i.e., the Username-Password pair to access this server.
- You must have the Private Key to be able to perform SSH authentication on the FortiOS server.
- To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.
Configuring the connector
For the procedure to configure a connector, click here.
Configuration parameters
In FortiSOAR™, on the Connectors page, select the FortiOS connector row, and in the Configure tab enter the required configuration details.
| Parameter |
Description |
| Hostname/IP Address |
Hostname or IP address of the FortiOS endpoint server to which you will connect and perform the automated operations. |
| Port |
Port number that is used for connecting to the FortiOS server using SSH.
By default, this is set to 22. |
| VDOM |
VDOM that is used to perform automated operations in provided VDOMs.
Notes:
- You can specify the VDOM here, as a configuration parameter, or you can also specify the VDOM as a function parameter.
- You can provide VDOM in the .csv or the list format. |
| Username |
Username to access the FortiOS endpoint server to which you will connect and perform the automated operations. |
| Password |
Password to access the FortiOS endpoint server to which you will connect and perform the automated operations. |
| Private Key |
Private Key used to perform SSH authentication on the FortiOS server. |
| Timeout |
Time, in seconds, after which the execution of the remote command gets timed out. |
Actions supported by the connector
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
| Function |
Description |
Annotation and Category |
| Block IP Address |
Blocks the IP addresses that you have specified on the FortiOS server. |
block_ip
Containment |
| Unblock IP Address |
Unblocks the IP addresses that you have specified from the FortiOS server. |
unblock_ip
Remediation |
| Get list of all blocked IP addresses |
Retrieves a list of all IP addresses that are blocked on the FortiOS server. |
get_blocked_ip
Investigation |
| Purge IP Block List |
Removes all the IP addresses from the IP Block List on the FortiOS server. |
unblock_ip
Remediation |
| Execute Command |
Executes a command on a remote FortiOS server. |
remote_command
Investigation |
operation: Block IP Address
Input parameters
| Parameter |
Description |
| Source IP Type |
Source IP Type that you want to block on the FortiOS server.
You can choose between IPv4 and IPv6. |
| IP Addresses |
IP addresses that you want to block on the FortiOS server, in the .csv or list format.
For example, ["1.1.1.1", "2.2.2.2"] or "1.1.1.1", "2.2.2.2". |
| Time to Live |
Time till when the IP addresses are in the Block status.
You can choose between the following options: 1 Hour, 6 Hour, 12 Hour, 1 Day, 6 Months, 1 Year, or Custom Time.
Note: If you select Custom Time then the Time to Live (Seconds) field is displayed in which you must specify the Time to Live in seconds. |
| Source |
Source of the IP that you want to block on the FortiOS server.
You can choose between the following options: ADMIN, DLP, IPS, AV, or DOS. |
| VDOM |
VDOM that is used to perform automated operations in provided VDOMs.
Notes:
- You can specify the VDOM here, as a configuration parameter, or you can also specify the VDOM as a function parameter.
- You can provide VDOM in the .csv or the list format. |
Output
Output of the block ip address command in the list format.
The output contains the following populated JSON schema:
{
"command": "",
"output": []
}
operation: Unblock IP Address
Input parameters
| Parameter |
Description |
| Source IP Type |
Source IP Type that you want to unblock from the FortiOS server.
You can choose between IPv4 and IPv6. |
| IP Addresses |
IP addresses that you want to unblock from the FortiOS server in the .csv or list format.
For example, ["1.1.1.1", "2.2.2.2"] or "1.1.1.1", "2.2.2.2". |
| VDOM |
VDOM that is used to perform automated operations in provided VDOMs.
Notes:
- You can specify the VDOM here, as a configuration parameter, or you can also specify the VDOM as a function parameter.
- You can provide VDOM in the .csv or the list format. |
Output
Output of the unblock ip address command in the list format.
The output contains the following populated JSON schema:
{
"command": "",
"output": []
}
operation: Get Blocked IP Addresses
Input parameters
| Parameter |
Description |
| VDOM |
VDOM that is used to perform automated operations in provided VDOMs.
Notes:
- You can specify the VDOM here, as a configuration parameter, or you can also specify the VDOM as a function parameter.
- You can provide VDOM in the .csv or the list format. |
Output
Output of the get block ip address command in the list format.
The output contains the following populated JSON schema:
{
"command": "",
"output": []
}
operation: Purge IP Block List
Input parameters
| Parameter |
Description |
| VDOM |
VDOM that is used to perform automated operations in provided VDOMs.
Notes:
- You can specify the VDOM here, as a configuration parameter, or you can also specify the VDOM as a function parameter.
- You can provide VDOM in the .csv or the list format. |
Output
Output of the purge block list command in the list format.
The output contains the following populated JSON schema:
{
"command": "",
"output": []
}
operation: Execute Command
Input parameters
| Parameter |
Description |
| Commands |
Command that you want to execute on the FortiOS console.
You can provide commands in the .csv or the list format. |
Output
Output of the specified command in the list format.
The output contains the following populated JSON schema:
{
"command": "",
"output": []
}
Included playbooks
The Sample - FortiOS - 1.0.0 playbook collection comes bundled with the FortiOS connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the FortiOS connector.
- Block IP Address
- Execute Command
- Get Blocked IP Addresses
- Purge IP Block List
- Unblock IP Address
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
