Fortinet FortiManager provides easy centralized configuration, policy-based provisioning, update management, and end-to-end network monitoring for your Fortinet installed environment.
This document provides information about the Fortinet FortiManager Connector, which facilitates automated interactions with your Fortinet FortiManager server using FortiSOAR™ playbooks. Add the Fortinet FortiManager connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving a list of all devices configured on the Fortinet FortiManager server, creating and updating incidents on Fortinet FortiManager server, and retrieving a list of all incidents from the Fortinet FortiManager server.
You can use FortiSOAR™'s Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Fortinet FortiManager. For more information, see the Data Ingestion Support section.
Connector Version: 2.0.1
FortiSOAR™ Version Tested on: 7.0.2-664
Fortinet FortiManager Version Tested on: FortiManager VM64-KVM v7.0.1 Interim build4653
Authored By: Fortinet
Certified: Yes
Following changes have been made to the Fortinet FortiManager Connector in version 2.0.1:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-fortinet-fortimanager
Log on to the Fortinet FortiManager server with the necessary credentials.
To block or unblock an IP address, you must create a policy for IP addresses on the Fortinet FortiManager server. The following steps define the process of adding a policy:
Policy & Objects > Policy Packages
, click IPv4 Policy or Firewall Policy to create a policy for IPv4 with the following conditions.Policy & Objects > Object Configuration
, click Address Group to create an address group with the following conditions.The minimum privileges that require to be assigned to users who are going to use this connector and run actions on Fortinet FortiManager are:
Admin Profile - Super User
JSON API Access - Read & Write
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Fortinet FortiManager connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details.
Parameter | Description |
---|---|
Hostname | IP address or Hostname of the Fortinet FortiManager endpoint server to which you will connect and perform the automated operations. |
Username | Username to access the Fortinet FortiManager server to which you will connect and perform the automated operations. |
Password | Password to access the Fortinet FortiManager server to which you will connect and perform the automated operations. |
ADOM | Administrative domain names (ADOMs) of the Fortinet FortiManager server to which you will connect and perform the automated operations. Enter the ADOMs, in the CSV or List format. |
Port | Port number used to access the Fortinet FortiManager server to which you will connect and perform the automated operations. By default, this is set to 443. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Create Incident | Creates an incident in Fortinet FortiManager based on the reporter name, endpoint name, and other input parameters you have specified. | create_incident Investigation |
List Incident | Retrieves a list of all incidents or specific incidents from Fortinet FortiManager based on the search parameters you have specified. | get_incidents Investigation |
Get Events Related to Incident | Retrieves details of events associated with a Fortinet FortiManager incident, based on the incident ID and other input parameters you have specified. | get_incident_events Investigation |
Get Device List | Retrieves a list of all devices or specific devices from Fortinet FortiManager based on the search parameters you have specified. Note: If a parameter is left blank or null, then this operation will return devices matching all values. |
get_devices Investigation |
Get Events | Retrieves a list of all events or specific events from Fortinet FortiManager based on the search parameters you have specified. Note: If a parameter is left blank or null, then this operation will return events matching all values. |
get_alert_event Investigation |
Get Event Details | Retrieves a list of event details (logs) from Fortinet FortiManager based on the alert IDs and other search parameters you have specified. | get_alert_logs Investigation |
Update Incident | Update an incident in Fortinet FortiManager based on the incident ID and other input parameters you have specified. | create_incident Investigation |
List ADOM Policy Package | Retrieves a list of all ADOM policy packages or specific ADOM policy packages from Fortinet FortiManager based on the search parameters you have specified. | get_adom_policy_package Investigation |
List ADOM IPv4 Policy | Retrieves a list of all ADOM IPv4 policies or specific ADOM IPv4 policies from Fortinet FortiManager based on the search parameters you have specified. | get_adom_policy Investigation |
ADOM Level Get Blocked IP Addresses | Retrieves a list of ADOM level IP Addresses that are blocked on Fortinet FortiGate through Fortinet FortiManager based on the IPv4 policy, address group name, and other input parameters you have specified. | get_blocked_ip Investigation |
ADOM Level Block IP Address | Blocks IP addresses at the ADOM level on Fortinet FortiGate based on the IPv4 policy, address group name, and other input parameters you have specified. | block_ip Containment |
ADOM Level Unblock IP Address | Unlocks IP addresses at the ADOM level on Fortinet FortiGate based on the IPv4 policy, address group name, and other input parameters you have specified. | unblock_ip Remediation |
Re-install Policy | Reinstalls an IPv4 Policy in Fortinet FortiManager based on the ADOM Name and policy package name you have specified. | reinstall_policy Investigation |
List Global Policy Package | Retrieves a list of all policy packages or specific policy packages from Fortinet FortiManager based on the search parameters you have specified. | get_global_policy_package Investigation |
List Global IPv4 Policy | Retrieves a list of all global IPv4 policies or specific IPv4 policies from Fortinet FortiManager based on the search parameters you have specified. | get_global_policy Investigation |
Global Level Get Blocked IP Addresses | Retrieves a list of Global (header/footer policy) level IP Addresses that are blocked on Fortinet FortiGate through Fortinet FortiManager based on the IPv4 policy, address group name, and other input parameters you have specified. | get_blocked_ip Investigation |
Global Level Block IP Address | Blocks IP addresses at the global level on Fortinet FortiGate based on the IPv4 header/footer policy, address group name, and other input parameters you have specified. | block_ip Containment |
Global Level Unblock IP Address | Unblocks IP addresses at the global level on Fortinet FortiGate based on the IPv4 header/footer policy, address group name, and other input parameters you have specified. | unblock_ip Remediation |
Assign Global Policy Package | Assigns a global policy package to ADOM packages in Fortinet FortiManager based on the policy package name, ADOM devices, and other input parameters you have specified. | global_assign_policy Investigation |
Parameter | Description |
---|---|
ADOM | (Optional) The administrative domain name (ADOM) of the Fortinet FortiManager server to which you will connect and perform the automated operations. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter. |
Reporter | Name of the reporter of the incident that you want to create in Fortinet FortiManager. For example, admin. |
Endpoint Name | Details of the endpoint affected by the incident that you want to create in Fortinet FortiAnalyzer. For example, 11.XXX.YY.Z/32 (11.XXX.YY.Z) or 11.XXX.YY.Z/32 (Emp1 Laptop). |
Endpoint ID | (Optional) Endpoint ID that you want to assign to the incident you want to create in Fortinet FortiManager. |
End User ID | (Optional) End-user ID that you want to assign to the incident you want to create in Fortinet FortiManager. |
Category | (Optional) The category you want to assign to the incident you want to create in Fortinet FortiManager. You can choose from the following options: Unauthorized access, Denial of Service, Malicious Code, Improper Usage, Scans/Probes/Attempted Access, or Uncategorized. |
Severity | (Optional) The severity level you want to assign to the incident you want to create in Fortinet FortiManager. You can choose from the following options: High, Medium, or Low. |
Status | (Optional) The status you want to assign to the incident you want to create in Fortinet FortiManager. You can choose from the following options: New, Analysis, Response, Closed: Remediated, or Closed: False Positive. |
Description | (Optional) Description of the new incident that you want to create in Fortinet FortiManager. |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"incid": ""
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
ADOM | The administrative domain name (ADOM) of the Fortinet FortiManager server to which you will connect and perform the automated operations. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter. |
Incident ID | The ID of incidents in CSV or list format that you want to retrieve from Fortinet FortiManager. |
Detail Level | Level of detail of the incidents that you want to retrieve from Fortinet FortiManager. By default, this is set to "Standard". |
Filter | Query in the format of field_name="field_value" using which you want to filter incidents to be retrieved from Fortinet FortiManagerFor example category="CAT2" and severity="medium" |
Sort By |
Sorts the incidents by the specified field and order the results. If you choose "Field", then you can specify the following parameters:
|
Limit | The maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000". |
Offset | Index of the first item to return. Values supported are: Default "0" and Minimum "0". |
The output contains the following populated JSON schema:
Output schema when you choose “Detail Level” as 'Basic':
{
"jsonrpc": "",
"id": "",
"result": {
"status": {
"code": "",
"message": ""
},
"detail-level": "",
"data": [
{
"attach_revision": "",
"attach_lastupdate": "",
"lastupdate": "",
"revision": "",
"incid": ""
}
]
}
}
Output schema when you choose “Detail Level” as 'Extended':
{
"result": {
"data": [
{
"endpoint": "",
"euname": "",
"epip": "",
"status": "",
"incid": "",
"attachments": [
{
"lastupdate": "",
"attachid": "",
"revision": ""
}
],
"lastupdate": "",
"osversion": "",
"attach_lastupdate": "",
"euid": "",
"category": "",
"epid": "",
"epname": "",
"revision": "",
"reporter": "",
"createtime": "",
"description": "",
"osname": "",
"mac": "",
"lastuser": "",
"severity": "",
"attach_revision": "",
"refinfo": ""
}
],
"detail-level": "",
"status": {
"message": "",
"code": ""
}
},
"id": "",
"jsonrpc": ""
}
Output schema when you choose “Detail Level” as 'Standard' or you do not select any detail level:
{
"result": {
"data": [
{
"endpoint": "",
"reporter": "",
"createtime": "",
"description": "",
"status": "",
"incid": "",
"severity": "",
"lastuser": "",
"attach_lastupdate": "",
"lastupdate": "",
"euid": "",
"attach_revision": "",
"category": "",
"refinfo": "",
"epid": "",
"revision": ""
}
],
"detail-level": "",
"status": {
"message": "",
"code": ""
}
},
"id": "",
"jsonrpc": ""
}
Parameter | Description |
---|---|
ADOM | (Optional) The administrative domain name (ADOM) of the Fortinet FortiManager server to which you will connect and perform the automated operations. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter. |
Incident ID | The ID of the incident whose associated events you want to retrieve from Fortinet FortiManager. |
Attachment Type | Types of attachment that you want to search for in Fortinet FortiManager. Valid types include: Alert Event, Log, Comment, Log Search Filter, Upload File, or Report. |
Limit | The maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000". |
Offset | Index of the first item to return. Values supported are: Default "0" and Minimum "0". |
The output contains the following populated JSON schema:
{
"result": {
"data": [
{
"attachtype": "",
"lastupdate": "",
"incid": "",
"attachid": "",
"createtime": "",
"data": "",
"lastuser": "",
"revision": ""
}
],
"status": {
"message": "",
"code": ""
}
},
"id": "",
"jsonrpc": ""
}
Parameter | Description |
---|---|
ADOM | (Optional) The administrative domain name (ADOM) of the Fortinet FortiManager server to which you will connect and perform the automated operations. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter. |
Device Name | Valid device name based on which you want to retrieve details of devices from Fortinet FortiManager. Note: If a parameter is left blank or null, then this operation will return devices matching all values. |
The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"url": "",
"status": {
"code": "",
"message": ""
},
"data": [
{
"os_ver": "",
"build": "",
"ips_ext": "",
"foslic_inst_time": "",
"mgmt.__data[5]": "",
"lic_region": "",
"latitude": "",
"foslic_ram": "",
"faz.perm": "",
"branch_pt": "",
"ips_ver": "",
"foslic_utm": "",
"source": "",
"foslic_cpu": "",
"mgmt.__data[3]": "",
"mgmt.__data[2]": "",
"ha_mode": "",
"opts": "",
"last_resync": "",
"foslic_last_sync": "",
"conn_status": "",
"mgmt.__data[7]": "",
"patch": "",
"hw_rev_minor": "",
"mgmt.__data[1]": "",
"psk": "",
"checksum": "",
"faz.quota": "",
"ha_group_id": "",
"adm_usr": "",
"ha_group_name": "",
"faz.used": "",
"tunnel_cookie": "",
"conf_status": "",
"mgmt.__data[6]": "",
"last_checked": "",
"version": "",
"mgmt.__data[0]": "",
"ha_slave": "",
"name": "",
"longitude": "",
"platform_str": "",
"foslic_dr_site": "",
"tunnel_ip": "",
"oid": "",
"foslic_type": "",
"prefer_img_ver": "",
"location_from": "",
"vm_cpu_limit": "",
"mgmt_if": "",
"faz.full_act": "",
"av_ver": "",
"fex_cnt": "",
"fsw_cnt": "",
"mgmt.__data[4]": "",
"vm_mem": "",
"sn": "",
"logdisk_size": "",
"lic_flags": "",
"hostname": "",
"vm_mem_limit": "",
"vdom": [
{
"tab_status": "",
"opmode": "",
"name": "",
"devid": "",
"rtm_prof_id": "",
"status": "",
"comments": "",
"oid": "",
"ext_flags": "",
"node_flags": "",
"vpn_id": "",
"flags": ""
}
],
"tab_status": "",
"adm_pass": [],
"mgmt_id": "",
"beta": "",
"dev_status": "",
"os_type": "",
"vm_lic_expire": "",
"mgmt_mode": "",
"hdisk_size": "",
"ip": "",
"vm_status": "",
"db_status": "",
"mr": "",
"module_sn": "",
"hw_rev_major": "",
"flags": "",
"desc": "",
"app_ver": "",
"maxvdom": "",
"vm_cpu": "",
"conn_mode": "",
"node_flags": "",
"fap_cnt": "",
"mgt_vdom": ""
}
]
}
]
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
ADOM | The administrative domain name (ADOM) of the Fortinet FortiManager server to which you will connect and perform the automated operations. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter. |
Filter | Filter expression using which you want to retrieve events from Fortinet FortiManager.'event_value', 'severity', 'triggername', 'count', 'comment' and 'flags' are supported.For example, triggername='Local Device Event' and severity>=3 or subject='desc:User login from SSH failed' |
Time Range | Select this checkbox to specify the time range for which you want to retrieve events from Fortinet FortiManager. If you select this checkbox, then you must specify the following parameters:
|
Limit | The maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000". |
Offset | Index of the first item to return. Values supported are: Default "0" and Minimum "0". |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"result": {
"data": [
{
"alerttime": "",
"triggername": "",
"devname": "",
"vdom": "",
"filterid": "",
"filterkey": "",
"devtype": "",
"eventtype": "",
"groupby1": "",
"euid": "1",
"subject": "",
"devid": "",
"alertid": "",
"extrainfo": "",
"euname": "",
"epname": "",
"ackflag": "",
"logcount": "",
"filtercksum": "",
"tag": "",
"updatetime": "",
"epid": "1",
"severity": "",
"readflag": "",
"lastlogtime": "",
"firstlogtime": ""
}
]
},
"id": ""
}
Parameter | Description |
---|---|
ADOM | (Optional) The administrative domain name (ADOM) of the Fortinet FortiManager server to which you will connect and perform the automated operations. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter. |
Alert ID | The ID of alerts in CSV or list format whose event details (logs) you want to retrieve from Fortinet FortiManager. Note: You can find the "Alert IDs" using the "Get Events" action. |
Time Order | Select the order in which you want to sort the result. You can choose between Ascending or Descending. By default, this is set to Descending. |
Limit | The maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000". |
Offset | Index of the first item to return. Values supported are: Default "0" and Minimum "0". |
The output contains the following populated JSON schema:
{
"id": "",
"result": {
"data": [
{
"log_id": "",
"devname": "",
"userfrom": "",
"time": "",
"dstepid": "",
"desc": "",
"user": "",
"dtime": "",
"msg": "",
"type": "",
"devid": "",
"dsteuid": "",
"euid": "",
"date": "",
"idseq": "",
"itime_t": "",
"epid": "",
"subtype": "",
"level": "",
"itime": ""
}
]
},
"jsonrpc": ""
}
Parameter | Description |
---|---|
ADOM | (Optional) The administrative domain name (ADOM) of the Fortinet FortiManager server to which you will connect and perform the automated operations. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter. |
Incident ID | The ID of the incident that you want to update in FortiManager. |
Endpoint Name | Details of the endpoint affected by the incident that you want to update in Fortinet FortiAnalyzer. For example, 11.XXX.YY.Z/32 (11.XXX.YY.Z) or 11.XXX.YY.Z/32 (Emp1 Laptop). |
Endpoint ID |
(Optional) Endpoint ID that you want to assign to the incident you want to update in Fortinet FortiManager. |
End User ID | (Optional) End-user ID that you want to assign to the incident you want to update in Fortinet FortiManager. |
Category | (Optional) The category you want to assign to the incident you want to update in Fortinet FortiManager. You can choose from the following options: Unauthorized access, Denial of Service, Malicious Code, Improper Usage, Scans/Probes/Attempted Access, or Uncategorized. |
Severity | (Optional) The severity level you want to assign to the incident you want to update in Fortinet FortiManager. You can choose from the following options: High, Medium, or Low. |
Status | (Optional) The status you want to assign to the incident you want to update in Fortinet FortiManager. You can choose from the following options: New, Analysis, Response, Closed: Remediated, or Closed: False Positive. |
Description | (Optional) Description of the incident that you want to update in Fortinet FortiManager. |
Last Revision | (Optional) Last version of the incident that you want to update in Fortinet FortiManager. |
Last User | (Optional) Last user of the incident that you want to update in Fortinet FortiManager. |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"status": {
"code": "",
"message": ""
}
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
ADOM Name | Specify the ADOM name whose policy package you want to retrieve from Fortinet FortiManager. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter. |
Policy Package Name | Select the policy package name whose details you want to retrieve from Fortinet FortiManager This parameter makes an API call named "list_adom_policy_package " to dynamically populate its dropdown selection. |
Policy Package/Folder Path | Specify the policy package or folder path of the ADOM policy package whose details you want to retrieve from Fortinet FortiManager. |
The output contains the following populated JSON schema:
Output schema when the 'Policy Package Name' is empty
{
"result": [
{
"data": [
{
"type": "",
"package settings": {
"consolidated-firewall-mode": "",
"fwpolicy6-implicit-log": "",
"fwpolicy-implicit-log": "",
"ngfw-mode": "",
"central-nat": ""
},
"oid": "",
"name": "",
"scope member": [
{
"vdom": "",
"name": ""
}
],
"obj ver": ""
}
],
"url": "",
"status": {
"code": "",
"message": ""
}
}
],
"id": ""
}
Default Output schema
{
"id": "",
"result": [
{
"status": {
"code": "",
"message": ""
},
"data": {
"obj ver": "",
"name": "",
"type": "",
"scope member": [
{
"name": "",
"vdom": ""
}
],
"oid": "",
"package settings": {
"ngfw-mode": "",
"consolidated-firewall-mode": "",
"fwpolicy6-implicit-log": "",
"fwpolicy-implicit-log": "",
"central-nat": ""
}
},
"url": ""
}
]
}
Parameter | Description |
---|---|
ADOM Name | (Optional) Specify the ADOM name whose ADOM IPv4 policy you want to retrieve from Fortinet FortiManager. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter. |
Policy Package Name | Select the policy package name whose IPv4 policy details you want to retrieve from Fortinet FortiManager. This parameter makes an API call named "list_adom_policy_package " to dynamically populate its dropdown selection. |
Policy Package/Folder Path | (Optional) Specify the policy package or folder path of the ADOM IPv4 policy whose details you want to retrieve from Fortinet FortiManager. |
IPv4 Policy Name | (Optional) Specify IPv4 policy name whose details you want to retrieve from Fortinet FortiManager. |
The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"data": [
{
"_last_hit": "",
"_byte": "",
"custom-log-fields": [],
"_pkts": "",
"anti-replay": "",
"_first_hit": "",
"webproxy-profile": [],
"delay-tcp-npu-session": "",
"dstaddr-negate": "",
"tcp-mss-receiver": "",
"internet-service": "",
"srcaddr": [],
"traffic-shaper": [],
"vpn_dst_node": "",
"match-vip-only": "",
"_hitcount": "",
"schedule": [],
"fsso-agent-for-ntlm": [],
"permit-any-host": "",
"schedule-timeout": "",
"radius-mac-auth-bypass": "",
"email-collect": "",
"name": "",
"ssl-mirror-intf": [],
"status": "",
"policyid": "",
"vlan-cos-fwd": "",
"vpn_src_node": "",
"nat": "",
"block-notification": "",
"logtraffic-start": "",
"per-ip-shaper": [],
"tos-negate": "",
"traffic-shaper-reverse": [],
"logtraffic": "",
"np-acceleration": "",
"session-ttl": "",
"uuid": "",
"service-negate": "",
"srcaddr-negate": "",
"wccp": "",
"_policy_block": "",
"action": "",
"groups": [],
"fsso": "",
"tos": "",
"internet-service-src": "",
"utm-status": "",
"natip": [],
"capture-packet": "",
"dstaddr": [],
"tcp-mss-sender": "",
"_first_session": "",
"_sesscount": "",
"_global-vpn-tgt": "",
"srcintf": [],
"tcp-session-without-syn": "",
"timeout-send-rst": "",
"ssl-ssh-profile": [],
"fsso-groups": [],
"service": [],
"vlan-cos-rev": "",
"captive-portal-exempt": "",
"users": [],
"app-group": [],
"webcache-https": "",
"geoip-anycast": "",
"diffserv-forward": "",
"profile-type": "",
"rtp-nat": "",
"reputation-direction": "",
"disclaimer": "",
"webproxy-forward-server": [],
"inspection-mode": "",
"obj seq": "",
"auto-asic-offload": "",
"_global-vpn": [],
"ssl-mirror": "",
"dstintf": [],
"_last_session": "",
"match-vip": "",
"diffserv-reverse": "",
"dsri": "",
"tos-mask": "",
"reputation-minimum": "",
"profile-protocol-options": [],
"replacemsg-override-group": []
}
],
"status": {
"message": "",
"code": ""
},
"url": ""
}
]
}
Parameter | Description |
---|---|
ADOM | (Optional) Specify the ADOM name whose associated list of blocked IP addresses you want to retrieve from Fortinet FortiManager. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter. |
Policy Package Name | Select the policy package name whose associated blocked IP addresses you want to retrieve from Fortinet FortiManager. This parameter makes an API call named "list_adom_policy_package " to dynamically populate its dropdown selection. |
Policy Package/Folder Path | (Optional) Specify the policy package or folder path of the ADOM IPv4 policy whose associated blocked IP addresses you want to retrieve from Fortinet FortiManager. |
IPv4 Policy Name | Specify the IPv4 policy name associated with the blocked IP addresses you want to retrieve from Fortinet FortiManager. |
Address Group Name | Name of the IP address group name, in the "CSV" or "list" format, that you have specified in Fortinet FortiManager for blocking or unblocking IP addresses. For more information, see the Blocking or Unblocking IP addresses in Fortinet FortiManager section. |
The output contains the following populated JSON schema:
{
"policy_name": "",
"dstaddr": [],
"srcaddr": [],
"addrgrp": [
{
"name": "",
"member": []
}
],
"addrgrp_not_exist": []
}
Parameter | Description |
---|---|
ADOM Name | (Optional) Specify the ADOM name whose associated IP addresses you want to block in the IPv4 policy of Fortinet FortiManager. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter. |
Policy Package Name | Select the policy package name whose associated IP addresses you want to block in the IPv4 policy of Fortinet FortiManager. This parameter makes an API call named "list_adom_policy_package " to dynamically populate its dropdown selection. |
Policy Package/Folder Path | (Optional) Specify the policy package or folder path of the ADOM IPv4 policy whose associated IP addresses you want to block in Fortinet FortiManager. |
IPv4 Policy Name | Name of the IPv4 Policy that you have specified in Fortinet FortiManager for blocking or unblocking IP addresses. |
Address Group Name | Name of the IP address group name that you have specified in Fortinet FortiManager for blocking or unblocking IP addresses. For more information, see the Blocking or Unblocking IP addresses in Fortinet FortiManager section. |
IP Address | Specify the IP addresses that you want to block using Fortinet FortiManager in the "CSV" or "list" format. For example, ["1.1.1.1", "2.2.2.2"] or "1.1.1.1", "2.2.2.2" . |
The output contains the following populated JSON schema:
{
"already_blocked": [],
"newly_blocked": [],
"error_with_block": []
}
Parameter | Description |
---|---|
ADOM Name | (Optional) Specify the ADOM name whose associated IP addresses you want to unblock in the IPv4 policy of Fortinet FortiManager. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter. |
Policy Package Name | Select the policy package name whose associated IP addresses you want to unblock in the IPv4 policy of Fortinet FortiManager. This parameter makes an API call named "list_adom_policy_package " to dynamically populate its dropdown selection. |
Policy Package/Folder Path | (Optional) Specify the policy package or folder path of the ADOM IPv4 policy whose associated IP addresses you want to unblock in Fortinet FortiManager. |
IPv4 Policy Name | Name of the IPv4 Policy that you have specified in Fortinet FortiManager for blocking or unblocking IP addresses. |
Address Group Name | Name of the IP address group name, that you have specified in Fortinet FortiManager for blocking or unblocking IP addresses. For more information, see the Blocking or Unblocking IP addresses in Fortinet FortiManager section. |
IP Address | Specify the IP addresses that you want to unblock using Fortinet FortiManager in the "CSV" or "list" format. For example, ["1.1.1.1", "2.2.2.2"] or "1.1.1.1", "2.2.2.2" . |
The output contains the following populated JSON schema:
{
"not_exist": [],
"newly_unblocked": [],
"error_with_unblock": []
}
Parameter | Description |
---|---|
ADOM Name | (Optional) Specify the ADOM name to which you want to apply the IPv4 policy in Fortinet FortiManager. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter. |
Policy Package Name | Select the policy package name to which you want to apply the IPv4 policy in Fortinet FortiManager. This parameter makes an API call named "list_adom_policy_package " to dynamically populate its dropdown selection. |
Policy Package/Folder Path | (Optional) Specify the policy package or folder path to apply the IPv4 policy in Fortinet FortiManager. |
The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"data": {
"task": ""
},
"status": {
"message": "",
"code": ""
},
"url": ""
}
]
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Package Name | Specify the name of the global policy package name from which you want to retrieve package details. |
Policy Package/Folder Path | Specify the policy package or folder path from which you want to retrieve package details. |
The output contains the following populated JSON schema:
Output schema when the 'Policy Package Name' is empty
{
"result": [
{
"url": "",
"data": [
{
"type": "",
"package settings": {
"ngfw-mode": "",
"central-nat": "",
"consolidated-firewall-mode": "",
"fwpolicy-implicit-log": "",
"fwpolicy6-implicit-log": ""
},
"scope member": [
{
"name": ""
}
],
"obj ver": "",
"name": "",
"oid": ""
}
],
"status": {
"message": "",
"code": ""
}
}
],
"id": ""
}
Default Output schema
{
"result": [
{
"url": "",
"data": {
"type": "",
"package settings": {
"ngfw-mode": "",
"central-nat": "",
"consolidated-firewall-mode": "",
"fwpolicy-implicit-log": "",
"fwpolicy6-implicit-log": ""
},
"scope member": [
{
"name": ""
}
],
"obj ver": "",
"name": "",
"oid": ""
},
"status": {
"message": "",
"code": ""
}
}
],
"id": ""
}
Parameter | Description |
---|---|
Policy Package Name | Specify the name of the global IPv4 policy package from which you want to retrieve package details. This parameter makes an API call named "list_global_policy_pck " to dynamically populate its dropdown selections. |
Policy Package/Folder Path | (Optional) Specify the policy package or folder path from which you want to retrieve package details. |
Policy Type | Select the policy type from which you want to retrieve IPv4 policy details. |
Policy Name | (Optional) Specify the name of the global IPv4 policy whose details you want to retrieve from Fortinet FortiManager. |
The output contains the following populated JSON schema:
{
"result": [
{
"url": "",
"data": [
{
"ssl-ssh-profile": [],
"_pkts": "",
"disclaimer": "",
"diffserv-reverse": "",
"replacemsg-override-group": [],
"dstaddr": [],
"per-ip-shaper": [],
"vlan-cos-rev": "",
"schedule": [],
"wccp": "",
"_byte": "",
"status": "",
"groups": [],
"block-notification": "",
"_global-vpn": [],
"webcache-https": "",
"obj seq": "",
"utm-status": "",
"webproxy-profile": [],
"tcp-mss-receiver": "",
"tos-negate": "",
"profile-type": "",
"reputation-minimum": "",
"timeout-send-rst": "",
"policyid": "",
"dstaddr-negate": "",
"traffic-shaper": [],
"profile-protocol-options": [],
"internet-service": "",
"reputation-direction": "",
"natip": [],
"session-ttl": "",
"vlan-cos-fwd": "",
"delay-tcp-npu-session": "",
"webproxy-forward-server": [],
"email-collect": "",
"np-acceleration": "",
"fsso-agent-for-ntlm": [],
"identity-based-policy": "",
"name": "",
"tos": "",
"_first_session": "",
"uuid": "",
"_sesscount": "",
"match-vip": "",
"logtraffic": "",
"schedule-timeout": "",
"traffic-shaper-reverse": [],
"tos-mask": "",
"permit-any-host": "",
"anti-replay": "",
"capture-packet": "",
"ssl-mirror-intf": [],
"srcaddr": [],
"service": [],
"internet-service-src": "",
"dstintf": [],
"_last_hit": "",
"_hitcount": "",
"_first_hit": "",
"gtp-profile": [],
"radius-mac-auth-bypass": "",
"diffserv-forward": "",
"geoip-anycast": "",
"tcp-mss-sender": "",
"app-group": [],
"rtp-nat": "",
"inspection-mode": "",
"tcp-session-without-syn": "",
"logtraffic-start": "",
"auto-asic-offload": "",
"action": "",
"fsso-groups": [],
"fsso": "",
"_global-vpn-tgt": "",
"captive-portal-exempt": "",
"users": [],
"custom-log-fields": [],
"dsri": "",
"srcintf": [],
"nat": "",
"service-negate": "",
"match-vip-only": "",
"ssl-mirror": "",
"_last_session": "",
"srcaddr-negate": ""
}
],
"status": {
"message": "",
"code": ""
}
}
],
"id": ""
}
Parameter | Description |
---|---|
Policy Package Name | Specify the name of the global IPv4 policy whose associated blocked IP addresses you want to retrieve from Fortinet FortiManager. This parameter makes an API call named "list_global_policy_pck " to dynamically populate its dropdown selections. |
Policy Package/Folder Path | (Optional) Specify the policy package or folder path of the global IPv4 policy whose associated blocked IP addresses you want to retrieve from Fortinet FortiManager. |
Policy Type | Select policy type based on which you want to retrieve blocked IP addresses from Fortinet FortiManager. |
IPv4 Policy Name | Specify the IPv4 policy name associated with the blocked IP addresses you want to retrieve from Fortinet FortiManager. |
Address Group Name | Name of the IP address group name, in the "CSV" or "list" format, that you have specified in Fortinet FortiManager for blocking or unblocking IP addresses. For more information, see the Blocking or Unblocking IP addresses in Fortinet FortiManager section. |
The output contains the following populated JSON schema:
{
"policy_name": "",
"dstaddr": [],
"srcaddr": [],
"addrgrp": [
{
"name": "",
"member": []
}
],
"addrgrp_not_exist": []
}
Parameter | Description |
---|---|
Policy Package Name | Select the policy package whose associated IP addresses you want to block in the global IPv4 policy of Fortinet FortiManager. This parameter makes an API call named "list_global_policy_pck " to dynamically populate its dropdown selections. |
Policy Package/Folder Path | (Optional) Specify the policy package or folder path of the global IPv4 policy whose associated IP addresses you want to block in Fortinet FortiManager. |
Policy Type | Select policy type whose IP addresses you want to block in Fortinet FortiManager. |
IPv4 Policy Name | Name of the IPv4 Policy that you have specified in Fortinet FortiManager for blocking or blocking IP addresses. |
Address Group Name | Name of the IP address group name, that you have specified in Fortinet FortiManager for blocking or unblocking IP addresses. For more information, see the Blocking or Unblocking IP addresses in Fortinet FortiManager section. |
IP Address | IP addresses that you want to block using Fortinet FortiManager in the "CSV" or "list" format.For example, ["1.1.1.1", "2.2.2.2"] or "1.1.1.1", "2.2.2.2" . |
The output contains the following populated JSON schema:
{
"already_blocked": [],
"newly_blocked": [],
"error_with_block": []
}
Parameter | Description |
---|---|
Policy Package Name | Select the policy package whose associated IP addresses you want to unblock in the global IPv4 policy of Fortinet FortiManager. This parameter makes an API call named "list_global_policy_pck " to dynamically populate its dropdown selections. |
Policy Package/Folder Path | (Optional) Specify the policy package or folder path of the global IPv4 policy whose associated IP addresses you want to unblock in Fortinet FortiManager. |
Policy Type | Select policy type whose IP addresses you want to unblock in Fortinet FortiManager. |
IPv4 Policy Name | Name of the IPv4 Policy that you have specified in Fortinet FortiManager for blocking or blocking IP addresses. |
Address Group Name | Name of the IP address group name, that you have specified in Fortinet FortiManager for blocking or unblocking IP addresses. For more information, see the Blocking or Unblocking IP addresses in Fortinet FortiManager section. |
IP Address | IP addresses that you want to unblock using Fortinet FortiManager in the "CSV" or "list" format.For example, ["1.1.1.1", "2.2.2.2"] or "1.1.1.1", "2.2.2.2" . |
The output contains the following populated JSON schema:
{
"not_exist": [],
"newly_unblocked": [],
"error_with_unblock": []
}
Parameter | Description |
---|---|
Policy Package Name | Select the policy package that you want to assign to ADOM devices in the global IPv4 policy of Fortinet FortiManager. This parameter makes an API call named "list_global_policy_pck " to dynamically populate its dropdown selections. |
Policy Package/Folder Path | Specify the policy package or folder path of the global policy package that you want to assign to ADOM devices in Fortinet FortiManager. |
ADOM Devices | Specify one or more destination ADOMs to which you want to assign the selected global policy package. This parameter makes an API call named "list_global_adom " to dynamically populate its dropdown selections. |
The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"data": {
"task": ""
},
"status": {
"message": "",
"code": ""
},
"url": ""
}
]
}
The Sample - Fortinet Fortimanager - 2.0.1
playbook collection comes bundled with the Fortinet FortiManager connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiManager connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Fortinet FortiManager. Currently, "incidents" in Fortinet FortiManager are mapped to "alerts" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.
You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming Fortinet FortiManager "Incidents" to FortiSOAR™ "Alerts".
The Data Ingestion Wizard enables you to configure scheduled pulling of data from Fortinet FortiManager into FortiSOAR™. It also lets you pull some sample data from Fortinet FortiManager using which you can define the mapping of data between Fortinet FortiManager and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the Fortinet FortiManager incident.
On the Field Mapping screen, map the fields of a Fortinet FortiManager incident to the fields of an alert present in FortiSOAR™.
To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the status parameter of a Fortinet FortiManager incident to the state parameter of a FortiSOAR™ alert, click the State field and then click the status field to populate its keys:
For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed mapping the fields, click Save Mapping & Continue.
Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Fortinet FortiManager, so that the content gets pulled from the Fortinet FortiManager integration into FortiSOAR™.
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if you want to pull data from Fortinet FortiManager every 5 minutes, click Every X Minute, and in the minute box enter */5
. This would mean that based on the configuration you have set up, data, i.e., incidents will be pulled from Fortinet FortiManager every 5 minutes.
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.
Fortinet FortiManager provides easy centralized configuration, policy-based provisioning, update management, and end-to-end network monitoring for your Fortinet installed environment.
This document provides information about the Fortinet FortiManager Connector, which facilitates automated interactions with your Fortinet FortiManager server using FortiSOAR™ playbooks. Add the Fortinet FortiManager connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving a list of all devices configured on the Fortinet FortiManager server, creating and updating incidents on Fortinet FortiManager server, and retrieving a list of all incidents from the Fortinet FortiManager server.
You can use FortiSOAR™'s Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Fortinet FortiManager. For more information, see the Data Ingestion Support section.
Connector Version: 2.0.1
FortiSOAR™ Version Tested on: 7.0.2-664
Fortinet FortiManager Version Tested on: FortiManager VM64-KVM v7.0.1 Interim build4653
Authored By: Fortinet
Certified: Yes
Following changes have been made to the Fortinet FortiManager Connector in version 2.0.1:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-fortinet-fortimanager
Log on to the Fortinet FortiManager server with the necessary credentials.
To block or unblock an IP address, you must create a policy for IP addresses on the Fortinet FortiManager server. The following steps define the process of adding a policy:
Policy & Objects > Policy Packages
, click IPv4 Policy or Firewall Policy to create a policy for IPv4 with the following conditions.Policy & Objects > Object Configuration
, click Address Group to create an address group with the following conditions.The minimum privileges that require to be assigned to users who are going to use this connector and run actions on Fortinet FortiManager are:
Admin Profile - Super User
JSON API Access - Read & Write
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Fortinet FortiManager connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details.
Parameter | Description |
---|---|
Hostname | IP address or Hostname of the Fortinet FortiManager endpoint server to which you will connect and perform the automated operations. |
Username | Username to access the Fortinet FortiManager server to which you will connect and perform the automated operations. |
Password | Password to access the Fortinet FortiManager server to which you will connect and perform the automated operations. |
ADOM | Administrative domain names (ADOMs) of the Fortinet FortiManager server to which you will connect and perform the automated operations. Enter the ADOMs, in the CSV or List format. |
Port | Port number used to access the Fortinet FortiManager server to which you will connect and perform the automated operations. By default, this is set to 443. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Create Incident | Creates an incident in Fortinet FortiManager based on the reporter name, endpoint name, and other input parameters you have specified. | create_incident Investigation |
List Incident | Retrieves a list of all incidents or specific incidents from Fortinet FortiManager based on the search parameters you have specified. | get_incidents Investigation |
Get Events Related to Incident | Retrieves details of events associated with a Fortinet FortiManager incident, based on the incident ID and other input parameters you have specified. | get_incident_events Investigation |
Get Device List | Retrieves a list of all devices or specific devices from Fortinet FortiManager based on the search parameters you have specified. Note: If a parameter is left blank or null, then this operation will return devices matching all values. |
get_devices Investigation |
Get Events | Retrieves a list of all events or specific events from Fortinet FortiManager based on the search parameters you have specified. Note: If a parameter is left blank or null, then this operation will return events matching all values. |
get_alert_event Investigation |
Get Event Details | Retrieves a list of event details (logs) from Fortinet FortiManager based on the alert IDs and other search parameters you have specified. | get_alert_logs Investigation |
Update Incident | Update an incident in Fortinet FortiManager based on the incident ID and other input parameters you have specified. | create_incident Investigation |
List ADOM Policy Package | Retrieves a list of all ADOM policy packages or specific ADOM policy packages from Fortinet FortiManager based on the search parameters you have specified. | get_adom_policy_package Investigation |
List ADOM IPv4 Policy | Retrieves a list of all ADOM IPv4 policies or specific ADOM IPv4 policies from Fortinet FortiManager based on the search parameters you have specified. | get_adom_policy Investigation |
ADOM Level Get Blocked IP Addresses | Retrieves a list of ADOM level IP Addresses that are blocked on Fortinet FortiGate through Fortinet FortiManager based on the IPv4 policy, address group name, and other input parameters you have specified. | get_blocked_ip Investigation |
ADOM Level Block IP Address | Blocks IP addresses at the ADOM level on Fortinet FortiGate based on the IPv4 policy, address group name, and other input parameters you have specified. | block_ip Containment |
ADOM Level Unblock IP Address | Unlocks IP addresses at the ADOM level on Fortinet FortiGate based on the IPv4 policy, address group name, and other input parameters you have specified. | unblock_ip Remediation |
Re-install Policy | Reinstalls an IPv4 Policy in Fortinet FortiManager based on the ADOM Name and policy package name you have specified. | reinstall_policy Investigation |
List Global Policy Package | Retrieves a list of all policy packages or specific policy packages from Fortinet FortiManager based on the search parameters you have specified. | get_global_policy_package Investigation |
List Global IPv4 Policy | Retrieves a list of all global IPv4 policies or specific IPv4 policies from Fortinet FortiManager based on the search parameters you have specified. | get_global_policy Investigation |
Global Level Get Blocked IP Addresses | Retrieves a list of Global (header/footer policy) level IP Addresses that are blocked on Fortinet FortiGate through Fortinet FortiManager based on the IPv4 policy, address group name, and other input parameters you have specified. | get_blocked_ip Investigation |
Global Level Block IP Address | Blocks IP addresses at the global level on Fortinet FortiGate based on the IPv4 header/footer policy, address group name, and other input parameters you have specified. | block_ip Containment |
Global Level Unblock IP Address | Unblocks IP addresses at the global level on Fortinet FortiGate based on the IPv4 header/footer policy, address group name, and other input parameters you have specified. | unblock_ip Remediation |
Assign Global Policy Package | Assigns a global policy package to ADOM packages in Fortinet FortiManager based on the policy package name, ADOM devices, and other input parameters you have specified. | global_assign_policy Investigation |
Parameter | Description |
---|---|
ADOM | (Optional) The administrative domain name (ADOM) of the Fortinet FortiManager server to which you will connect and perform the automated operations. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter. |
Reporter | Name of the reporter of the incident that you want to create in Fortinet FortiManager. For example, admin. |
Endpoint Name | Details of the endpoint affected by the incident that you want to create in Fortinet FortiAnalyzer. For example, 11.XXX.YY.Z/32 (11.XXX.YY.Z) or 11.XXX.YY.Z/32 (Emp1 Laptop). |
Endpoint ID | (Optional) Endpoint ID that you want to assign to the incident you want to create in Fortinet FortiManager. |
End User ID | (Optional) End-user ID that you want to assign to the incident you want to create in Fortinet FortiManager. |
Category | (Optional) The category you want to assign to the incident you want to create in Fortinet FortiManager. You can choose from the following options: Unauthorized access, Denial of Service, Malicious Code, Improper Usage, Scans/Probes/Attempted Access, or Uncategorized. |
Severity | (Optional) The severity level you want to assign to the incident you want to create in Fortinet FortiManager. You can choose from the following options: High, Medium, or Low. |
Status | (Optional) The status you want to assign to the incident you want to create in Fortinet FortiManager. You can choose from the following options: New, Analysis, Response, Closed: Remediated, or Closed: False Positive. |
Description | (Optional) Description of the new incident that you want to create in Fortinet FortiManager. |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"incid": ""
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
ADOM | The administrative domain name (ADOM) of the Fortinet FortiManager server to which you will connect and perform the automated operations. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter. |
Incident ID | The ID of incidents in CSV or list format that you want to retrieve from Fortinet FortiManager. |
Detail Level | Level of detail of the incidents that you want to retrieve from Fortinet FortiManager. By default, this is set to "Standard". |
Filter | Query in the format of field_name="field_value" using which you want to filter incidents to be retrieved from Fortinet FortiManagerFor example category="CAT2" and severity="medium" |
Sort By |
Sorts the incidents by the specified field and order the results. If you choose "Field", then you can specify the following parameters:
|
Limit | The maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000". |
Offset | Index of the first item to return. Values supported are: Default "0" and Minimum "0". |
The output contains the following populated JSON schema:
Output schema when you choose “Detail Level” as 'Basic':
{
"jsonrpc": "",
"id": "",
"result": {
"status": {
"code": "",
"message": ""
},
"detail-level": "",
"data": [
{
"attach_revision": "",
"attach_lastupdate": "",
"lastupdate": "",
"revision": "",
"incid": ""
}
]
}
}
Output schema when you choose “Detail Level” as 'Extended':
{
"result": {
"data": [
{
"endpoint": "",
"euname": "",
"epip": "",
"status": "",
"incid": "",
"attachments": [
{
"lastupdate": "",
"attachid": "",
"revision": ""
}
],
"lastupdate": "",
"osversion": "",
"attach_lastupdate": "",
"euid": "",
"category": "",
"epid": "",
"epname": "",
"revision": "",
"reporter": "",
"createtime": "",
"description": "",
"osname": "",
"mac": "",
"lastuser": "",
"severity": "",
"attach_revision": "",
"refinfo": ""
}
],
"detail-level": "",
"status": {
"message": "",
"code": ""
}
},
"id": "",
"jsonrpc": ""
}
Output schema when you choose “Detail Level” as 'Standard' or you do not select any detail level:
{
"result": {
"data": [
{
"endpoint": "",
"reporter": "",
"createtime": "",
"description": "",
"status": "",
"incid": "",
"severity": "",
"lastuser": "",
"attach_lastupdate": "",
"lastupdate": "",
"euid": "",
"attach_revision": "",
"category": "",
"refinfo": "",
"epid": "",
"revision": ""
}
],
"detail-level": "",
"status": {
"message": "",
"code": ""
}
},
"id": "",
"jsonrpc": ""
}
Parameter | Description |
---|---|
ADOM | (Optional) The administrative domain name (ADOM) of the Fortinet FortiManager server to which you will connect and perform the automated operations. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter. |
Incident ID | The ID of the incident whose associated events you want to retrieve from Fortinet FortiManager. |
Attachment Type | Types of attachment that you want to search for in Fortinet FortiManager. Valid types include: Alert Event, Log, Comment, Log Search Filter, Upload File, or Report. |
Limit | The maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000". |
Offset | Index of the first item to return. Values supported are: Default "0" and Minimum "0". |
The output contains the following populated JSON schema:
{
"result": {
"data": [
{
"attachtype": "",
"lastupdate": "",
"incid": "",
"attachid": "",
"createtime": "",
"data": "",
"lastuser": "",
"revision": ""
}
],
"status": {
"message": "",
"code": ""
}
},
"id": "",
"jsonrpc": ""
}
Parameter | Description |
---|---|
ADOM | (Optional) The administrative domain name (ADOM) of the Fortinet FortiManager server to which you will connect and perform the automated operations. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter. |
Device Name | Valid device name based on which you want to retrieve details of devices from Fortinet FortiManager. Note: If a parameter is left blank or null, then this operation will return devices matching all values. |
The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"url": "",
"status": {
"code": "",
"message": ""
},
"data": [
{
"os_ver": "",
"build": "",
"ips_ext": "",
"foslic_inst_time": "",
"mgmt.__data[5]": "",
"lic_region": "",
"latitude": "",
"foslic_ram": "",
"faz.perm": "",
"branch_pt": "",
"ips_ver": "",
"foslic_utm": "",
"source": "",
"foslic_cpu": "",
"mgmt.__data[3]": "",
"mgmt.__data[2]": "",
"ha_mode": "",
"opts": "",
"last_resync": "",
"foslic_last_sync": "",
"conn_status": "",
"mgmt.__data[7]": "",
"patch": "",
"hw_rev_minor": "",
"mgmt.__data[1]": "",
"psk": "",
"checksum": "",
"faz.quota": "",
"ha_group_id": "",
"adm_usr": "",
"ha_group_name": "",
"faz.used": "",
"tunnel_cookie": "",
"conf_status": "",
"mgmt.__data[6]": "",
"last_checked": "",
"version": "",
"mgmt.__data[0]": "",
"ha_slave": "",
"name": "",
"longitude": "",
"platform_str": "",
"foslic_dr_site": "",
"tunnel_ip": "",
"oid": "",
"foslic_type": "",
"prefer_img_ver": "",
"location_from": "",
"vm_cpu_limit": "",
"mgmt_if": "",
"faz.full_act": "",
"av_ver": "",
"fex_cnt": "",
"fsw_cnt": "",
"mgmt.__data[4]": "",
"vm_mem": "",
"sn": "",
"logdisk_size": "",
"lic_flags": "",
"hostname": "",
"vm_mem_limit": "",
"vdom": [
{
"tab_status": "",
"opmode": "",
"name": "",
"devid": "",
"rtm_prof_id": "",
"status": "",
"comments": "",
"oid": "",
"ext_flags": "",
"node_flags": "",
"vpn_id": "",
"flags": ""
}
],
"tab_status": "",
"adm_pass": [],
"mgmt_id": "",
"beta": "",
"dev_status": "",
"os_type": "",
"vm_lic_expire": "",
"mgmt_mode": "",
"hdisk_size": "",
"ip": "",
"vm_status": "",
"db_status": "",
"mr": "",
"module_sn": "",
"hw_rev_major": "",
"flags": "",
"desc": "",
"app_ver": "",
"maxvdom": "",
"vm_cpu": "",
"conn_mode": "",
"node_flags": "",
"fap_cnt": "",
"mgt_vdom": ""
}
]
}
]
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
ADOM | The administrative domain name (ADOM) of the Fortinet FortiManager server to which you will connect and perform the automated operations. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter. |
Filter | Filter expression using which you want to retrieve events from Fortinet FortiManager.'event_value', 'severity', 'triggername', 'count', 'comment' and 'flags' are supported.For example, triggername='Local Device Event' and severity>=3 or subject='desc:User login from SSH failed' |
Time Range | Select this checkbox to specify the time range for which you want to retrieve events from Fortinet FortiManager. If you select this checkbox, then you must specify the following parameters:
|
Limit | The maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000". |
Offset | Index of the first item to return. Values supported are: Default "0" and Minimum "0". |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"result": {
"data": [
{
"alerttime": "",
"triggername": "",
"devname": "",
"vdom": "",
"filterid": "",
"filterkey": "",
"devtype": "",
"eventtype": "",
"groupby1": "",
"euid": "1",
"subject": "",
"devid": "",
"alertid": "",
"extrainfo": "",
"euname": "",
"epname": "",
"ackflag": "",
"logcount": "",
"filtercksum": "",
"tag": "",
"updatetime": "",
"epid": "1",
"severity": "",
"readflag": "",
"lastlogtime": "",
"firstlogtime": ""
}
]
},
"id": ""
}
Parameter | Description |
---|---|
ADOM | (Optional) The administrative domain name (ADOM) of the Fortinet FortiManager server to which you will connect and perform the automated operations. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter. |
Alert ID | The ID of alerts in CSV or list format whose event details (logs) you want to retrieve from Fortinet FortiManager. Note: You can find the "Alert IDs" using the "Get Events" action. |
Time Order | Select the order in which you want to sort the result. You can choose between Ascending or Descending. By default, this is set to Descending. |
Limit | The maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000". |
Offset | Index of the first item to return. Values supported are: Default "0" and Minimum "0". |
The output contains the following populated JSON schema:
{
"id": "",
"result": {
"data": [
{
"log_id": "",
"devname": "",
"userfrom": "",
"time": "",
"dstepid": "",
"desc": "",
"user": "",
"dtime": "",
"msg": "",
"type": "",
"devid": "",
"dsteuid": "",
"euid": "",
"date": "",
"idseq": "",
"itime_t": "",
"epid": "",
"subtype": "",
"level": "",
"itime": ""
}
]
},
"jsonrpc": ""
}
Parameter | Description |
---|---|
ADOM | (Optional) The administrative domain name (ADOM) of the Fortinet FortiManager server to which you will connect and perform the automated operations. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter. |
Incident ID | The ID of the incident that you want to update in FortiManager. |
Endpoint Name | Details of the endpoint affected by the incident that you want to update in Fortinet FortiAnalyzer. For example, 11.XXX.YY.Z/32 (11.XXX.YY.Z) or 11.XXX.YY.Z/32 (Emp1 Laptop). |
Endpoint ID |
(Optional) Endpoint ID that you want to assign to the incident you want to update in Fortinet FortiManager. |
End User ID | (Optional) End-user ID that you want to assign to the incident you want to update in Fortinet FortiManager. |
Category | (Optional) The category you want to assign to the incident you want to update in Fortinet FortiManager. You can choose from the following options: Unauthorized access, Denial of Service, Malicious Code, Improper Usage, Scans/Probes/Attempted Access, or Uncategorized. |
Severity | (Optional) The severity level you want to assign to the incident you want to update in Fortinet FortiManager. You can choose from the following options: High, Medium, or Low. |
Status | (Optional) The status you want to assign to the incident you want to update in Fortinet FortiManager. You can choose from the following options: New, Analysis, Response, Closed: Remediated, or Closed: False Positive. |
Description | (Optional) Description of the incident that you want to update in Fortinet FortiManager. |
Last Revision | (Optional) Last version of the incident that you want to update in Fortinet FortiManager. |
Last User | (Optional) Last user of the incident that you want to update in Fortinet FortiManager. |
The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"status": {
"code": "",
"message": ""
}
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
ADOM Name | Specify the ADOM name whose policy package you want to retrieve from Fortinet FortiManager. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter. |
Policy Package Name | Select the policy package name whose details you want to retrieve from Fortinet FortiManager This parameter makes an API call named "list_adom_policy_package " to dynamically populate its dropdown selection. |
Policy Package/Folder Path | Specify the policy package or folder path of the ADOM policy package whose details you want to retrieve from Fortinet FortiManager. |
The output contains the following populated JSON schema:
Output schema when the 'Policy Package Name' is empty
{
"result": [
{
"data": [
{
"type": "",
"package settings": {
"consolidated-firewall-mode": "",
"fwpolicy6-implicit-log": "",
"fwpolicy-implicit-log": "",
"ngfw-mode": "",
"central-nat": ""
},
"oid": "",
"name": "",
"scope member": [
{
"vdom": "",
"name": ""
}
],
"obj ver": ""
}
],
"url": "",
"status": {
"code": "",
"message": ""
}
}
],
"id": ""
}
Default Output schema
{
"id": "",
"result": [
{
"status": {
"code": "",
"message": ""
},
"data": {
"obj ver": "",
"name": "",
"type": "",
"scope member": [
{
"name": "",
"vdom": ""
}
],
"oid": "",
"package settings": {
"ngfw-mode": "",
"consolidated-firewall-mode": "",
"fwpolicy6-implicit-log": "",
"fwpolicy-implicit-log": "",
"central-nat": ""
}
},
"url": ""
}
]
}
Parameter | Description |
---|---|
ADOM Name | (Optional) Specify the ADOM name whose ADOM IPv4 policy you want to retrieve from Fortinet FortiManager. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter. |
Policy Package Name | Select the policy package name whose IPv4 policy details you want to retrieve from Fortinet FortiManager. This parameter makes an API call named "list_adom_policy_package " to dynamically populate its dropdown selection. |
Policy Package/Folder Path | (Optional) Specify the policy package or folder path of the ADOM IPv4 policy whose details you want to retrieve from Fortinet FortiManager. |
IPv4 Policy Name | (Optional) Specify IPv4 policy name whose details you want to retrieve from Fortinet FortiManager. |
The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"data": [
{
"_last_hit": "",
"_byte": "",
"custom-log-fields": [],
"_pkts": "",
"anti-replay": "",
"_first_hit": "",
"webproxy-profile": [],
"delay-tcp-npu-session": "",
"dstaddr-negate": "",
"tcp-mss-receiver": "",
"internet-service": "",
"srcaddr": [],
"traffic-shaper": [],
"vpn_dst_node": "",
"match-vip-only": "",
"_hitcount": "",
"schedule": [],
"fsso-agent-for-ntlm": [],
"permit-any-host": "",
"schedule-timeout": "",
"radius-mac-auth-bypass": "",
"email-collect": "",
"name": "",
"ssl-mirror-intf": [],
"status": "",
"policyid": "",
"vlan-cos-fwd": "",
"vpn_src_node": "",
"nat": "",
"block-notification": "",
"logtraffic-start": "",
"per-ip-shaper": [],
"tos-negate": "",
"traffic-shaper-reverse": [],
"logtraffic": "",
"np-acceleration": "",
"session-ttl": "",
"uuid": "",
"service-negate": "",
"srcaddr-negate": "",
"wccp": "",
"_policy_block": "",
"action": "",
"groups": [],
"fsso": "",
"tos": "",
"internet-service-src": "",
"utm-status": "",
"natip": [],
"capture-packet": "",
"dstaddr": [],
"tcp-mss-sender": "",
"_first_session": "",
"_sesscount": "",
"_global-vpn-tgt": "",
"srcintf": [],
"tcp-session-without-syn": "",
"timeout-send-rst": "",
"ssl-ssh-profile": [],
"fsso-groups": [],
"service": [],
"vlan-cos-rev": "",
"captive-portal-exempt": "",
"users": [],
"app-group": [],
"webcache-https": "",
"geoip-anycast": "",
"diffserv-forward": "",
"profile-type": "",
"rtp-nat": "",
"reputation-direction": "",
"disclaimer": "",
"webproxy-forward-server": [],
"inspection-mode": "",
"obj seq": "",
"auto-asic-offload": "",
"_global-vpn": [],
"ssl-mirror": "",
"dstintf": [],
"_last_session": "",
"match-vip": "",
"diffserv-reverse": "",
"dsri": "",
"tos-mask": "",
"reputation-minimum": "",
"profile-protocol-options": [],
"replacemsg-override-group": []
}
],
"status": {
"message": "",
"code": ""
},
"url": ""
}
]
}
Parameter | Description |
---|---|
ADOM | (Optional) Specify the ADOM name whose associated list of blocked IP addresses you want to retrieve from Fortinet FortiManager. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter. |
Policy Package Name | Select the policy package name whose associated blocked IP addresses you want to retrieve from Fortinet FortiManager. This parameter makes an API call named "list_adom_policy_package " to dynamically populate its dropdown selection. |
Policy Package/Folder Path | (Optional) Specify the policy package or folder path of the ADOM IPv4 policy whose associated blocked IP addresses you want to retrieve from Fortinet FortiManager. |
IPv4 Policy Name | Specify the IPv4 policy name associated with the blocked IP addresses you want to retrieve from Fortinet FortiManager. |
Address Group Name | Name of the IP address group name, in the "CSV" or "list" format, that you have specified in Fortinet FortiManager for blocking or unblocking IP addresses. For more information, see the Blocking or Unblocking IP addresses in Fortinet FortiManager section. |
The output contains the following populated JSON schema:
{
"policy_name": "",
"dstaddr": [],
"srcaddr": [],
"addrgrp": [
{
"name": "",
"member": []
}
],
"addrgrp_not_exist": []
}
Parameter | Description |
---|---|
ADOM Name | (Optional) Specify the ADOM name whose associated IP addresses you want to block in the IPv4 policy of Fortinet FortiManager. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter. |
Policy Package Name | Select the policy package name whose associated IP addresses you want to block in the IPv4 policy of Fortinet FortiManager. This parameter makes an API call named "list_adom_policy_package " to dynamically populate its dropdown selection. |
Policy Package/Folder Path | (Optional) Specify the policy package or folder path of the ADOM IPv4 policy whose associated IP addresses you want to block in Fortinet FortiManager. |
IPv4 Policy Name | Name of the IPv4 Policy that you have specified in Fortinet FortiManager for blocking or unblocking IP addresses. |
Address Group Name | Name of the IP address group name that you have specified in Fortinet FortiManager for blocking or unblocking IP addresses. For more information, see the Blocking or Unblocking IP addresses in Fortinet FortiManager section. |
IP Address | Specify the IP addresses that you want to block using Fortinet FortiManager in the "CSV" or "list" format. For example, ["1.1.1.1", "2.2.2.2"] or "1.1.1.1", "2.2.2.2" . |
The output contains the following populated JSON schema:
{
"already_blocked": [],
"newly_blocked": [],
"error_with_block": []
}
Parameter | Description |
---|---|
ADOM Name | (Optional) Specify the ADOM name whose associated IP addresses you want to unblock in the IPv4 policy of Fortinet FortiManager. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter. |
Policy Package Name | Select the policy package name whose associated IP addresses you want to unblock in the IPv4 policy of Fortinet FortiManager. This parameter makes an API call named "list_adom_policy_package " to dynamically populate its dropdown selection. |
Policy Package/Folder Path | (Optional) Specify the policy package or folder path of the ADOM IPv4 policy whose associated IP addresses you want to unblock in Fortinet FortiManager. |
IPv4 Policy Name | Name of the IPv4 Policy that you have specified in Fortinet FortiManager for blocking or unblocking IP addresses. |
Address Group Name | Name of the IP address group name, that you have specified in Fortinet FortiManager for blocking or unblocking IP addresses. For more information, see the Blocking or Unblocking IP addresses in Fortinet FortiManager section. |
IP Address | Specify the IP addresses that you want to unblock using Fortinet FortiManager in the "CSV" or "list" format. For example, ["1.1.1.1", "2.2.2.2"] or "1.1.1.1", "2.2.2.2" . |
The output contains the following populated JSON schema:
{
"not_exist": [],
"newly_unblocked": [],
"error_with_unblock": []
}
Parameter | Description |
---|---|
ADOM Name | (Optional) Specify the ADOM name to which you want to apply the IPv4 policy in Fortinet FortiManager. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter. |
Policy Package Name | Select the policy package name to which you want to apply the IPv4 policy in Fortinet FortiManager. This parameter makes an API call named "list_adom_policy_package " to dynamically populate its dropdown selection. |
Policy Package/Folder Path | (Optional) Specify the policy package or folder path to apply the IPv4 policy in Fortinet FortiManager. |
The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"data": {
"task": ""
},
"status": {
"message": "",
"code": ""
},
"url": ""
}
]
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Package Name | Specify the name of the global policy package name from which you want to retrieve package details. |
Policy Package/Folder Path | Specify the policy package or folder path from which you want to retrieve package details. |
The output contains the following populated JSON schema:
Output schema when the 'Policy Package Name' is empty
{
"result": [
{
"url": "",
"data": [
{
"type": "",
"package settings": {
"ngfw-mode": "",
"central-nat": "",
"consolidated-firewall-mode": "",
"fwpolicy-implicit-log": "",
"fwpolicy6-implicit-log": ""
},
"scope member": [
{
"name": ""
}
],
"obj ver": "",
"name": "",
"oid": ""
}
],
"status": {
"message": "",
"code": ""
}
}
],
"id": ""
}
Default Output schema
{
"result": [
{
"url": "",
"data": {
"type": "",
"package settings": {
"ngfw-mode": "",
"central-nat": "",
"consolidated-firewall-mode": "",
"fwpolicy-implicit-log": "",
"fwpolicy6-implicit-log": ""
},
"scope member": [
{
"name": ""
}
],
"obj ver": "",
"name": "",
"oid": ""
},
"status": {
"message": "",
"code": ""
}
}
],
"id": ""
}
Parameter | Description |
---|---|
Policy Package Name | Specify the name of the global IPv4 policy package from which you want to retrieve package details. This parameter makes an API call named "list_global_policy_pck " to dynamically populate its dropdown selections. |
Policy Package/Folder Path | (Optional) Specify the policy package or folder path from which you want to retrieve package details. |
Policy Type | Select the policy type from which you want to retrieve IPv4 policy details. |
Policy Name | (Optional) Specify the name of the global IPv4 policy whose details you want to retrieve from Fortinet FortiManager. |
The output contains the following populated JSON schema:
{
"result": [
{
"url": "",
"data": [
{
"ssl-ssh-profile": [],
"_pkts": "",
"disclaimer": "",
"diffserv-reverse": "",
"replacemsg-override-group": [],
"dstaddr": [],
"per-ip-shaper": [],
"vlan-cos-rev": "",
"schedule": [],
"wccp": "",
"_byte": "",
"status": "",
"groups": [],
"block-notification": "",
"_global-vpn": [],
"webcache-https": "",
"obj seq": "",
"utm-status": "",
"webproxy-profile": [],
"tcp-mss-receiver": "",
"tos-negate": "",
"profile-type": "",
"reputation-minimum": "",
"timeout-send-rst": "",
"policyid": "",
"dstaddr-negate": "",
"traffic-shaper": [],
"profile-protocol-options": [],
"internet-service": "",
"reputation-direction": "",
"natip": [],
"session-ttl": "",
"vlan-cos-fwd": "",
"delay-tcp-npu-session": "",
"webproxy-forward-server": [],
"email-collect": "",
"np-acceleration": "",
"fsso-agent-for-ntlm": [],
"identity-based-policy": "",
"name": "",
"tos": "",
"_first_session": "",
"uuid": "",
"_sesscount": "",
"match-vip": "",
"logtraffic": "",
"schedule-timeout": "",
"traffic-shaper-reverse": [],
"tos-mask": "",
"permit-any-host": "",
"anti-replay": "",
"capture-packet": "",
"ssl-mirror-intf": [],
"srcaddr": [],
"service": [],
"internet-service-src": "",
"dstintf": [],
"_last_hit": "",
"_hitcount": "",
"_first_hit": "",
"gtp-profile": [],
"radius-mac-auth-bypass": "",
"diffserv-forward": "",
"geoip-anycast": "",
"tcp-mss-sender": "",
"app-group": [],
"rtp-nat": "",
"inspection-mode": "",
"tcp-session-without-syn": "",
"logtraffic-start": "",
"auto-asic-offload": "",
"action": "",
"fsso-groups": [],
"fsso": "",
"_global-vpn-tgt": "",
"captive-portal-exempt": "",
"users": [],
"custom-log-fields": [],
"dsri": "",
"srcintf": [],
"nat": "",
"service-negate": "",
"match-vip-only": "",
"ssl-mirror": "",
"_last_session": "",
"srcaddr-negate": ""
}
],
"status": {
"message": "",
"code": ""
}
}
],
"id": ""
}
Parameter | Description |
---|---|
Policy Package Name | Specify the name of the global IPv4 policy whose associated blocked IP addresses you want to retrieve from Fortinet FortiManager. This parameter makes an API call named "list_global_policy_pck " to dynamically populate its dropdown selections. |
Policy Package/Folder Path | (Optional) Specify the policy package or folder path of the global IPv4 policy whose associated blocked IP addresses you want to retrieve from Fortinet FortiManager. |
Policy Type | Select policy type based on which you want to retrieve blocked IP addresses from Fortinet FortiManager. |
IPv4 Policy Name | Specify the IPv4 policy name associated with the blocked IP addresses you want to retrieve from Fortinet FortiManager. |
Address Group Name | Name of the IP address group name, in the "CSV" or "list" format, that you have specified in Fortinet FortiManager for blocking or unblocking IP addresses. For more information, see the Blocking or Unblocking IP addresses in Fortinet FortiManager section. |
The output contains the following populated JSON schema:
{
"policy_name": "",
"dstaddr": [],
"srcaddr": [],
"addrgrp": [
{
"name": "",
"member": []
}
],
"addrgrp_not_exist": []
}
Parameter | Description |
---|---|
Policy Package Name | Select the policy package whose associated IP addresses you want to block in the global IPv4 policy of Fortinet FortiManager. This parameter makes an API call named "list_global_policy_pck " to dynamically populate its dropdown selections. |
Policy Package/Folder Path | (Optional) Specify the policy package or folder path of the global IPv4 policy whose associated IP addresses you want to block in Fortinet FortiManager. |
Policy Type | Select policy type whose IP addresses you want to block in Fortinet FortiManager. |
IPv4 Policy Name | Name of the IPv4 Policy that you have specified in Fortinet FortiManager for blocking or blocking IP addresses. |
Address Group Name | Name of the IP address group name, that you have specified in Fortinet FortiManager for blocking or unblocking IP addresses. For more information, see the Blocking or Unblocking IP addresses in Fortinet FortiManager section. |
IP Address | IP addresses that you want to block using Fortinet FortiManager in the "CSV" or "list" format.For example, ["1.1.1.1", "2.2.2.2"] or "1.1.1.1", "2.2.2.2" . |
The output contains the following populated JSON schema:
{
"already_blocked": [],
"newly_blocked": [],
"error_with_block": []
}
Parameter | Description |
---|---|
Policy Package Name | Select the policy package whose associated IP addresses you want to unblock in the global IPv4 policy of Fortinet FortiManager. This parameter makes an API call named "list_global_policy_pck " to dynamically populate its dropdown selections. |
Policy Package/Folder Path | (Optional) Specify the policy package or folder path of the global IPv4 policy whose associated IP addresses you want to unblock in Fortinet FortiManager. |
Policy Type | Select policy type whose IP addresses you want to unblock in Fortinet FortiManager. |
IPv4 Policy Name | Name of the IPv4 Policy that you have specified in Fortinet FortiManager for blocking or blocking IP addresses. |
Address Group Name | Name of the IP address group name, that you have specified in Fortinet FortiManager for blocking or unblocking IP addresses. For more information, see the Blocking or Unblocking IP addresses in Fortinet FortiManager section. |
IP Address | IP addresses that you want to unblock using Fortinet FortiManager in the "CSV" or "list" format.For example, ["1.1.1.1", "2.2.2.2"] or "1.1.1.1", "2.2.2.2" . |
The output contains the following populated JSON schema:
{
"not_exist": [],
"newly_unblocked": [],
"error_with_unblock": []
}
Parameter | Description |
---|---|
Policy Package Name | Select the policy package that you want to assign to ADOM devices in the global IPv4 policy of Fortinet FortiManager. This parameter makes an API call named "list_global_policy_pck " to dynamically populate its dropdown selections. |
Policy Package/Folder Path | Specify the policy package or folder path of the global policy package that you want to assign to ADOM devices in Fortinet FortiManager. |
ADOM Devices | Specify one or more destination ADOMs to which you want to assign the selected global policy package. This parameter makes an API call named "list_global_adom " to dynamically populate its dropdown selections. |
The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"data": {
"task": ""
},
"status": {
"message": "",
"code": ""
},
"url": ""
}
]
}
The Sample - Fortinet Fortimanager - 2.0.1
playbook collection comes bundled with the Fortinet FortiManager connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiManager connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Fortinet FortiManager. Currently, "incidents" in Fortinet FortiManager are mapped to "alerts" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.
You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming Fortinet FortiManager "Incidents" to FortiSOAR™ "Alerts".
The Data Ingestion Wizard enables you to configure scheduled pulling of data from Fortinet FortiManager into FortiSOAR™. It also lets you pull some sample data from Fortinet FortiManager using which you can define the mapping of data between Fortinet FortiManager and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the Fortinet FortiManager incident.
On the Field Mapping screen, map the fields of a Fortinet FortiManager incident to the fields of an alert present in FortiSOAR™.
To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the status parameter of a Fortinet FortiManager incident to the state parameter of a FortiSOAR™ alert, click the State field and then click the status field to populate its keys:
For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed mapping the fields, click Save Mapping & Continue.
Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Fortinet FortiManager, so that the content gets pulled from the Fortinet FortiManager integration into FortiSOAR™.
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if you want to pull data from Fortinet FortiManager every 5 minutes, click Every X Minute, and in the minute box enter */5
. This would mean that based on the configuration you have set up, data, i.e., incidents will be pulled from Fortinet FortiManager every 5 minutes.
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.