FortiGate Firewall v2.0.0

About the connector

FortiGuard security services protect against known and unknown threats, zero-day exploits, malware, and malicious websites. FortiGuard Labs provide continuous threat intelligence, dynamic analysis for detection, and automated mitigation to keep your network protected from advanced cyber attacks.

This document provides information about the FortiGate Firewall connector, which facilitates automated interactions, with a FortiGate Firewall server using FortiSOAR™ playbooks. Add the FortiGate Firewall connector as a step in FortiSOAR™ playbooks and perform automated operations, such as blocking or unblocking IP addresses, URLs, or applications, or retrieving a list of blocked IP addresses, URLs, or applications from the FortiGate Firewall server.

Version information

Connector Version: 2.0.0

FortiSOAR™ Version Tested on: 5.0.0-866

FortiGate Firewall Version Tested on: FortiGate VM64 v6.0.5 build0268 (GA)

Authored By: Fortinet

Certified: Yes

Release Notes for version 2.0.0

Following enhancements have been made to the FortiGate Firewall connector in version 2.0.0:

• Enhanced the Fortigate Firewall connector to support Fortigate Firewall v6.0 series.
• Removed the Validate Configuration Policies operation.
• Added the following configuration parameters: Timeout and VDOM.
• Remove the IP Block Policy from the Configuration parameters and added this parameter as an input parameter to the Block IP Address and Unblock IP Address operations.
• Added VDOM as an optional input parameter to the Get List of Policies operation.
• Updated input parameters for the Block IP Address and Unblock IP Address operations.

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-fortigate-firewall

Prerequisites to configuring the connector

• You must have the IP address or Hostname of the FortiGate Firewall server to which you will connect and perform the automated operations and credentials to access that server.
• To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.
• To block or unblock IP addresses, URLs, or applications, you need to add the necessary configuration to FortiGate Firewall. See the Blocking or Unblocking IP addresses, URLs, or applications in FortiGate Firewall section.

Blocking or Unblocking IP addresses, URLs, or applications in FortiGate Firewall

1. Log on to the FortiGate Firewall server with the necessary credentials.

2. To block or unblock an IP address, you must create a policy for IP addresses on the Fortigate Firewall server. Following steps define the process of adding a policy:

   1. In Policy & Objects, click IPv4 Policy to create a policy for IPv4 with following conditions.
      Source = all
      Schedule = always
      Service = ALL
      Action = DENY
      Note: You can create an IPv6 policy in the similar manner.
   2. Enter the policy name in the configuration page. For our example, we have named this as Cybersponse_Blocked_Policy. When you are configuring your FortiGate Firewall connector in FortiSOAR™, you must use the policy name that you have specified in this step as your IP Block Policy configuration parameter.
      
3. To block or unblock a URL, you must create a profile for blocking or unblocking static URLs on the Fortigate Firewall server. Following steps define the process of adding a policy:
   1. In Security Profiles, click Web Filter to create a new profile for blocking or unblocking static urls or use the default profile.
   2. Enter the policy name in the configuration page. For our example, we have named this as default. When you are configuring your FortiGate Firewall connector in FortiSOAR™, you must use the policy name that you have specified in this step as your URL Block Policy configuration parameter.
      

4. To block or unblock an application, you must create a profile for blocking or unblocking applications on the Fortigate Firewall server. Following steps define the process of adding a policy:

   1. In Security Profiles, click Application Control to create a new profile for blocking or unblocking applications or use the default profile.

   2. Enter the policy name in the configuration page. For our example, we have named this as default. When you are configuring your FortiGate Firewall connector in FortiSOAR™, you must use the policy name that you have specified in this step as your Application Block Policy configuration parameter.
      
      As you can see in the above screenshot, for our example we have blocked two applications.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Fortigate Firewall connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:

Parameter	Description
Hostname	IP address or Hostname of the FortiGate Firewall endpoint server to which you will connect and perform the automated operations.
Port	Port number used for connecting to the FortiGate Firewall server. Defaults to 443.
Username	Username to access the FortiGate Firewall server to which you will connect and perform the automated operations.
Password	Password to access the FortiGate Firewall server to which you will connect and perform the automated operations.
Timeout	Time, in seconds, after which the remote command execution will timeout.
URL Block Policy	Name of the URL Policy that you have specified in FortiGate Firewall for blocking or unblocking IP addresses. Based on our example, enter default in this field. See the Blocking or Unblocking IP addresses, URLs, or applications in FortiGate Firewall section.
Application Block Policy	Name of the Application Policy that you have specified in FortiGate Firewall for blocking or unblocking IP addresses. Based on our example, enter default in this field.See the Blocking or Unblocking IP addresses, URLs, or applications in FortiGate Firewall section.
VDOM	VDOMs, in the CSV or List format, to support operations related to IP addresses.
Verify SSL	Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:

Function	Description	Annotation and Category
Get List of Policies	Retrieves a list and details for all policies that are configured on FortiGate Firewall from the FortiGate Firewall server.	get_policies Investigation
Get Applications Detail	Retrieves a list of all application names and associated details from the FortiGate Firewall server.	get_app_details Investigation
Block URL	Blocks URLs on FortiGate Firewall using the URL Block Policy that you have specified while configuring the FortiGate Firewall connector. See the Configuration parameters section. Note: This operation is only supported on the root VDOM.	block_url Containment
Unblock URL	Unblocks URLs on FortiGate Firewall using the URL Block Policy that you have specified while configuring the FortiGate Firewall connector. See the Configuration parameters section. Note: This operation is only supported on the root VDOM.	unblock_url Remediation
Block IP Address	Blocks IP addresses on FortiGate Firewall using the IP Block Policy that you have specified while configuring the FortiGate Firewall connector. See the Configuration parameters section. Note: This operation is supported on all VDOMs.	block_ip Containment
Unblock IP Address	Unblocks IP addresses on FortiGate Firewall using the IP Block Policy that you have specified while configuring the FortiGate Firewall connector. See the Configuration parameters section. Note: This operation is supported on all VDOMs.	unblock_ip Remediation
Block Application	Blocks applications on FortiGate Firewall using the Application Block Policy that you have specified while configuring the FortiGate Firewall connector. See the Configuration parameters section. Note: This operation is only supported on the root VDOM.	block_app Containment
Unblock Application	Unblocks applications on FortiGate Firewall using the Application Block Policy that you have specified while configuring the FortiGate Firewall connector. See the Configuration parameters section. Note: This operation is only supported on the root VDOM.	unblock_app Remediation
Get Blocked URLs	Retrieves a list of URLs that are blocked on FortiGate Firewall. Note: This operation is only supported on the root VDOM.	get_blocked_url Investigation
Get Blocked IP Addresses	Retrieves a list of IP Addresses that are blocked on FortiGate Firewall. Note: This operation is supported on all VDOMs.	get_blocked_ip Investigation
Get Blocked Applications	Retrieves a list of application names that are blocked on FortiGate Firewall. Note: This operation is only supported on the root VDOM.	get_blocked_app Investigation

operation: Get List of Policies

Input parameters

Parameter	Description
VDOM	(Optional) VDOM on which you want to perform automated operations. Notes: You can specify the VDOM, as a configuration parameter, or you can also specify VDOM here, as an input parameter. You can specify VDOM in the .CSV or the list format. By default, VDOM set to root.

Output

The JSON output retrieves a list and details for all policies that are configured on FortiGate Firewall, from the FortiGate Firewall server.

The output contains the following populated JSON schema:
{
"result": [
{
"build": "",
"status": "",
"http_method": "",
"http_status": "",
"vdom": "",
"version": "",
"name": "",
"results": [
{
"name": "",
"profile-group": "",
"block-notification": "",
"profile-protocol-options": "",
"wanopt-detection": "",
"internet-service-custom": [],
"dstintf": [
{
"name": "",
"q_origin_key": ""
}
],
"natinbound": "",
"policyid": "",
"dnsfilter-profile": "",
"service-negate": "",
"action": "",
"webfilter-profile": "",
"ssl-ssh-profile": "",
"internet-service": "",
"ips-sensor": "",
"send-deny-packet": "",
"outbound": "",
"devices": [],
"q_origin_key": "",
"comments": "",
"poolname": [],
"fixedport": "",
"disclaimer": "",
"wanopt-profile": "",
"uuid": "",
"tcp-mss-sender": "",
"rsso": "",
"groups": [],
"srcaddr": [
{
"name": "",
"q_origin_key": ""
}
],
"srcaddr-negate": "",
"traffic-shaper-reverse": "",
"status": "",
"dstaddr-negate": "",
"url-category": [],
"label": "",
"ntlm": "",
"internet-service-id": [],
"global-label": "",
"timeout-send-rst": "",
"auth-cert": "",
"app-category": [],
"av-profile": "",
"ssl-mirror-intf": [],
"users": [],
"auth-redirect-addr": "",
"scan-botnet-connections": "",
"firewall-session-dirty": "",
"ippool": "",
"custom-log-fields": [],
"fsso-agent-for-ntlm": "",
"waf-profile": "",
"tags": [],
"service": [
{
"name": "",
"q_origin_key": ""
}
],
"tcp-session-without-syn": "",
"dlp-sensor": "",
"schedule": "",
"captive-portal-exempt": "",
"dscp-value": "",
"rtp-addr": [],
"learning-mode": "",
"wanopt-passive-opt": "",
"dscp-negate": "",
"natoutbound": "",
"diffservcode-forward": "",
"logtraffic-start": "",
"natip": "",
"wccp": "",
"per-ip-shaper": "",
"ssl-mirror": "",
"icap-profile": "",
"capture-packet": "",
"srcintf": [
{
"name": "",
"q_origin_key": ""
}
],
"spamfilter-profile": "",
"redirect-url": "",
"permit-stun-host": "",
"inbound": "",
"webcache-https": "",
"diffserv-reverse": "",
"profile-type": "",
"traffic-shaper": "",
"rtp-nat": "",
"fsso": "",
"wsso": "",
"nat": "",
"radius-mac-auth-bypass": "",
"auth-path": "",
"wanopt": "",
"diffservcode-rev": "",
"ntlm-enabled-browsers": [],
"utm-status": "",
"schedule-timeout": "",
"vpntunnel": "",
"vlan-cos-fwd": "",
"dsri": "",
"internet-service-negate": "",
"application": [],
"delay-tcp-npu-session": "",
"wanopt-peer": "",
"dstaddr": [
{
"name": "",
"q_origin_key": ""
}
],
"voip-profile": "",
"ntlm-guest": "",
"session-ttl": 0,
"identity-based-route": "",
"diffserv-forward": "",
"tcp-mss-receiver": "",
"application-list": "",
"vlan-cos-rev": "",
"webcache": "",
"match-vip": "",
"replacemsg-override-group": "",
"permit-any-host": "",
"logtraffic": "",
"dscp-match": ""
}
],
"path": "",
"serial": "",
"revision": ""
}
],
"vdom_not_exist": ""
}

operation: Get Applications Detail

Input parameters

None.

Output

The JSON output retrieves a list of all application names and associated details from the FortiGate Firewall server.

The output contains the following populated JSON schema:
{
"path": "",
"vdom": "",
"name": "",
"http_method": "",
"http_status": "",
"results": [
{
"q_type": "",
"vendor": "",
"q_name": "",
"sub-category": "",
"popularity": "",
"q_class": "",
"protocol": "",
"id": "",
"q_origin_key": "",
"q_path": "",
"weight": "",
"q_mkey_type": "",
"parameter": "",
"q_ref": "",
"name": "",
"q_no_rename": "",
"behavior": "",
"risk": "",
"category": "",
"metadata": [
{
"id": "",
"valueid": "",
"q_origin_key": "",
"metaid": ""
}
],
"technology": "",
"q_static": ""
}
],
"build": "",
"serial": "",
"version": "",
"revision": "",
"status": ""
}

operation: Block URL

Input parameters

Parameter	Description
URL	URL that you want to block on FortiGate Firewall.

Output

The JSON output contains a status message of whether or not the URL is successfully blocked on FortiGate Firewall.

The output contains the following populated JSON schema:
{
"message": "",
"name": "",
"status": ""
}

operation: Unblock URL

Input parameters

Parameter	Description
URL	URL that you want to unblock on FortiGate Firewall.

Output

The JSON output contains a status message of whether or not the URL is successfully unblocked on FortiGate Firewall.

The output contains the following populated JSON schema:
{
"message": "",
"name": "",
"status": ""
}

operation: Block IP Address

Input parameters

Parameter

Description

Block IP Method

Method to be used for blocking IP addresses using FortiGate Firewall. You can choose from Diagnose Base Block or Policy Base Block. If you choose Diagnose Base Block, then you must specify the following parameters: Source IP Type: Source IP Type that you want to block using FortiGate Firewall. You can choose between IPv4 and IPv6. IP Addresses: IP addresses that you want to block using FortiGate Firewall, in the .csv or list format. For example, ["1.1.1.1", "2.2.2.2"] or "1.1.1.1", "2.2.2.2". Time to Live: Time till when the IP addresses will remain in the Block status. You can choose between the following options: 1 Hour, 6 Hour, 12 Hour, 1 Day, 6 Months, 1 Year, or Custom Time. Note: If you select Custom Time then the Time to Live (Seconds) field is displayed in which you must specify the Time to Live in seconds. Source: Source of the IP that you want to block using FortiGate Firewall. You can choose between the following options: ADMIN, DLP, IPS, AV, or DOS. VDOM: (Optional) VDOMs that is used to block IP address. The VDOMs that you specify here will overwrite the VDOM(s) that you have specified as Configuration parameters. You can specify VDOM in the .csv or the list format. If you choose Policy Base Block, then you must specify the following parameters: IP Block Policy: Name of the IP Policy that you have specified in FortiGate Firewall for blocking or unblocking IP addresses. Based on our example, enter Cybersponse_Blocked_Policy in this field. See the Blocking or Unblocking IP addresses, URLs, or applications in FortiGate Firewall section. IP Addresses: IP addresses that you want to block using FortiGate Firewall in the .csv or list format. For example, ["1.1.1.1", "2.2.2.2"] or "1.1.1.1", "2.2.2.2". VDOM: (Optional) VDOMs that is used to block IP address. The VDOMs that you specify here will overwrite the VDOM(s) that you have specified as Configuration parameters. You can specify VDOM in the .csv or the list format.

Output

The JSON output contains a status message of whether or not the IP Address is successfully blocked on FortiGate Firewall.

When you choose “Diagnose Base Block” as the Block IP method, then the output contains the following populated JSON schema:
{
"result": [
{
"command": "",
"output": ""
}
],
"vdom_not_exist": ""
}

When you choose “Policy Base Block” as the Block IP method, then the output contains the following populated JSON schema:
{
"already_blocked": [].
"newly_blocked": [].
"error_with_block": []
}

operation: Unblock IP Address

Input parameters

Parameter

Description

Block IP Method

Method to be used for unblocking IP addresses using FortiGate Firewall. You can choose from Diagnose Base Block or Policy Base Block. If you choose Diagnose Base Block, then you must specify the following parameters: Source IP Type: Source IP Type that you want to unblock using FortiGate Firewall. You can choose between IPv4 and IPv6. IP Addresses: IP addresses that you want to unblock using FortiGate Firewall, in the .csv or list format. For example, ["1.1.1.1", "2.2.2.2"] or "1.1.1.1", "2.2.2.2". VDOM: (Optional) VDOMs that is used to unblock IP addresses. The VDOMs that you specify here will overwrite the VDOM(s) that you have specified as Configuration parameters. You can specify VDOM in the .csv or the list format. If you choose Policy Base Block, then you must specify the following parameters: IP Addresses: IP addresses that you want to unblock using FortiGate Firewall in the .csv or list format. For example, ["1.1.1.1", "2.2.2.2"] or "1.1.1.1", "2.2.2.2". IP Block Policy: Name of the IP Policy that you have specified in FortiGate Firewall for blocking or unblocking IP addresses. Based on our example, enter Cybersponse_Blocked_Policy in this field. See the Blocking or Unblocking IP addresses, URLs, or applications in FortiGate Firewall section. VDOM: (Optional) VDOMs that is used to unblock IP address. The VDOMs that you specify here will overwrite the VDOM(s) that you have specified as Configuration parameters. You can specify VDOM in the .csv or the list format.

Output

The JSON output contains a status message of whether or not the IP Address is successfully unblocked on FortiGate Firewall.

When you choose “Diagnose Base Block” as the Unblock IP method, then the output contains the following populated JSON schema:
{
"result": [
{
"command": "",
"output": ""
}
],
"vdom_not_exist": ""
}

When you choose “Policy Base Block” as the Unblock IP method, then the output contains the following populated JSON schema:
{
"not_exist": [].
"newly_unblocked": [].
"error_with_unblock": []
}

operation: Block Application

Input parameters

Parameter	Description
Application Names	List of application names that you want to block on FortiGate Firewall. Application names must be in the list format if you want to block more than one application. For example, for a list of applications enter ["Application_Name1", "Application_Name2"] in this field. For a single application enter Application_Name.

Output

The JSON output contains a status message of whether or not the application(s) are successfully blocked on FortiGate Firewall.

The output contains the following populated JSON schema:
{
"message": "",
"name": "",
"status": ""
}

operation: Unblock Application

Input parameters

Parameter	Description
Application Names	List of application names that you want to block on FortiGate Firewall. Application names must be in the list format if you want to unblock more than one application. For example, for a list of applications enter ["Application_Name1", "Application_Name2"] in this field. For a single application enter Application_Name.

Output

The JSON output contains a status message of whether or not the application(s) are successfully unblocked on FortiGate Firewall.

The output contains the following populated JSON schema:
{
"message": "",
"name": "",
"status": ""
}

operation: Get Blocked URLs

Input parameters

None.

Output

The JSON output retrieves a list of URLs that are blocked using the URL Block Policy that you have configured.

The output contains the following populated JSON schema:
{
"action": "",
"type": "",
"exempt": "",
"status": "",
"referrer-host": "",
"url": "",
"web-proxy-profile": "",
"id": "",
"q_origin_key": ""
}

operation: Get Blocked IP Addresses

Input parameters

Parameter

Description

Select Block IP Method

Method to be used for retrieving a list of IP Addresses that are blocked on FortiGate Firewall. You can choose from Diagnose Base Block or Policy Base Block. If you choose Diagnose Base Block, then you can specify the following parameter: VDOM: (Optional) VDOMs whose associated list of blocked IP addresses you want to retrieve from FortiGate Firewall. The VDOMs that you specify here will overwrite the VDOM(s) that you have specified as Configuration parameters. You can specify VDOM in the .csv or the list format. If you choose Policy Base Block, then you can specify the following parameters: IP Block Policy: Name of the IP Policy that you have specified in FortiGate Firewall for blocking or unblocking IP addresses and whose associated list of blocked IP addresses you want to retrieve from FortiGate Firewall. Based on our example, enter Cybersponse_Blocked_Policy in this field. See the Blocking or Unblocking IP addresses, URLs, or applications in FortiGate Firewall section. VDOM: (Optional) VDOMs whose associated list of blocked IP addresses you want to retrieve from FortiGate Firewall. The VDOMs that you specify here will overwrite the VDOM(s) that you have specified as Configuration parameters. You can specify VDOM in the .csv or the list format.

Output

The JSON output retrieves a list of IP Addresses that are blocked using the IP Block Policy that you have configured.

When you choose “Diagnose Base Block” as the method to be used for retrieving a list of IP Addresses that are blocked on FortiGate Firewall, then the output contains the following populated JSON schema:
{
"result": [
{
"command": "",
"output": ""
}
],
"vdom_not_exist": ""
}

When you choose “Policy Base Block” as the Block IP method, as the method to be used for retrieving a list of IP Addresses that are blocked on FortiGate Firewall, then the output contains a list of blocked IP addresses.

operation: Get Blocked Applications

Input parameters

None.

Output

The JSON output retrieves a list of application names that are blocked using the Application Block Policy that you have configured.

Following image displays a sample output:

The output contains the following populated JSON schema:
{
"q_type": "",
"vendor": "",
"protocol": "",
"q_name": "",
"sub-category": "",
"popularity": "",
"q_class": "",
"parameter": "",
"q_ref": "",
"category": "",
"q_path": "",
"weight": "",
"q_mkey_type": "",
"id": "",
"name": "",
"q_no_rename": "",
"behavior": "",
"risk": "",
"q_origin_key": "",
"metadata": [],
"technology": "",
"q_static": ""
}

Included playbooks

The Sample - FortiGate-Firewall - 2.0.0 playbook collection comes bundled with the FortiGate Firewall connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the FortiGate Firewall connector.

• Block Application
• Block IP Address
• Block URL
• Get Applications Detail
• Get Blocked Applications
• Get Blocked IP Addresses
• Get Blocked URLs
• Get List of Policies
• Unblock Application
• Unblock IP Address
• Unblock URL

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.