Fortinet FortiManager

Fortinet FortiManager v2.0.1

Home FortiSOAR Connectors Fortinet FortiManager

2.0.1

Fortinet FortiManager v2.0.1

About the connector

Fortinet FortiManager provides easy centralized configuration, policy-based provisioning, update management, and end-to-end network monitoring for your Fortinet installed environment.

This document provides information about the Fortinet FortiManager Connector, which facilitates automated interactions with your Fortinet FortiManager server using FortiSOAR™ playbooks. Add the Fortinet FortiManager connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving a list of all devices configured on the Fortinet FortiManager server, creating and updating incidents on Fortinet FortiManager server, and retrieving a list of all incidents from the Fortinet FortiManager server.

You can use FortiSOAR™'s Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Fortinet FortiManager. For more information, see the Data Ingestion Support section.

Version information

Connector Version: 2.0.1

FortiSOAR™ Version Tested on: 7.0.2-664

Fortinet FortiManager Version Tested on: FortiManager VM64-KVM v7.0.1 Interim build4653

Authored By: Fortinet

Certified: Yes

Release Notes for version 2.0.1

Following changes have been made to the Fortinet FortiManager Connector in version 2.0.1:

Fixed an issue that caused the "Health Check" to fail if FortiAnalyzer (FAZ) was not enabled in FortiManager (FMG).

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:

yum install cyops-connector-fortinet-fortimanager

Prerequisites to configuring the connector

You must have the IP address or hostname of the Fortinet FortiManager server to which you will connect and perform automated operations and credentials (username-password pair) to access that server.
You must enable "FortiAnalyzer Features" in FortiManager to perform the following operations:
- Create Incident
- List Incident
- Get Events Related to Incident
- Get Events
- Get Events Details
- Update Incident
You must enable "Administrative Domain" features in FortiManager.
The FortiSOAR™ server should have outbound connectivity to port 443 on the Fortinet FortiManager server.
You must add the configurations required to block or unblock IP addresses in Fortinet FortiManager. For more information, see the Blocking or Unblocking IP addresses in Fortinet FortiManager section.

Blocking or Unblocking IP addresses in Fortinet FortiManager

Log on to the Fortinet FortiManager server with the necessary credentials.
To block or unblock an IP address, you must create a policy for IP addresses on the Fortinet FortiManager server. The following steps define the process of adding a policy:
1. In Policy & Objects > Policy Packages, click IPv4 Policy or Firewall Policy to create a policy for IPv4 with the following conditions.
  IPv4 Source Address = Blocked_IPs
  IPv4 Destination Address = Blocked_IPs
  Schedule = always
  Service = ALL
  Action = DENY
  Note: You can create an IPv6 policy in a similar manner.
  For more information on address group exclusions, see the Create a new object topic in the FortiManager 6.2.2 Administration Guide.
2. In Policy & Objects > Object Configuration, click Address Group to create an address group with the following conditions.
  Group Name = Blocked_IPs
  Member = none
  Show in address list = enable
  For more information on creating address groups and address group exclusions, see the IP policies topic in the FortiManager 6.2.2 Administration Guide.
Users who are configuring Fortinet FortiManager for the first time have to perform the following steps for the 'Install' Policy:
1. Add devices to the “Installation Targets” where the user wants to install the IPv4/Firewall policy.
2. Navigate to the Device Manager select the Device that is specified in the installation target and click Install.
3. Click Install Policy Package & Device Settings and select the policy package where the IPv4 Policy or Firewall Policy is created.
4. Run the 'Install Wizard' completely.
Users who are configuring Fortinet FortiManager for the first time have to perform the following steps for the 'Assign Global Policy Package':
1. Add ADOM to the “Assignment” where the user wants to assign the Global Policy Package. For more information see the Assign a global policy package section in the FortiManager document
2. Select the ADOM that you have specified in the assignment.
3. Run the 'Assign Wizard' completely.

Minimum Permissions Required

The minimum privileges that require to be assigned to users who are going to use this connector and run actions on Fortinet FortiManager are:

Admin Profile - Super User
JSON API Access - Read & Write

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Fortinet FortiManager connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details.

Parameter	Description
Hostname	IP address or Hostname of the Fortinet FortiManager endpoint server to which you will connect and perform the automated operations.
Username	Username to access the Fortinet FortiManager server to which you will connect and perform the automated operations.
Password	Password to access the Fortinet FortiManager server to which you will connect and perform the automated operations.
ADOM	Administrative domain names (ADOMs) of the Fortinet FortiManager server to which you will connect and perform the automated operations. Enter the ADOMs, in the CSV or List format.
Port	Port number used to access the Fortinet FortiManager server to which you will connect and perform the automated operations. By default, this is set to 443.
Verify SSL	Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 onwards:

Function	Description	Annotation and Category
Create Incident	Creates an incident in Fortinet FortiManager based on the reporter name, endpoint name, and other input parameters you have specified.	create_incident Investigation
List Incident	Retrieves a list of all incidents or specific incidents from Fortinet FortiManager based on the search parameters you have specified.	get_incidents Investigation
Get Events Related to Incident	Retrieves details of events associated with a Fortinet FortiManager incident, based on the incident ID and other input parameters you have specified.	get_incident_events Investigation
Get Device List	Retrieves a list of all devices or specific devices from Fortinet FortiManager based on the search parameters you have specified. Note: If a parameter is left blank or null, then this operation will return devices matching all values.	get_devices Investigation
Get Events	Retrieves a list of all events or specific events from Fortinet FortiManager based on the search parameters you have specified. Note: If a parameter is left blank or null, then this operation will return events matching all values.	get_alert_event Investigation
Get Event Details	Retrieves a list of event details (logs) from Fortinet FortiManager based on the alert IDs and other search parameters you have specified.	get_alert_logs Investigation
Update Incident	Update an incident in Fortinet FortiManager based on the incident ID and other input parameters you have specified.	create_incident Investigation
List ADOM Policy Package	Retrieves a list of all ADOM policy packages or specific ADOM policy packages from Fortinet FortiManager based on the search parameters you have specified.	get_adom_policy_package Investigation
List ADOM IPv4 Policy	Retrieves a list of all ADOM IPv4 policies or specific ADOM IPv4 policies from Fortinet FortiManager based on the search parameters you have specified.	get_adom_policy Investigation
ADOM Level Get Blocked IP Addresses	Retrieves a list of ADOM level IP Addresses that are blocked on Fortinet FortiGate through Fortinet FortiManager based on the IPv4 policy, address group name, and other input parameters you have specified.	get_blocked_ip Investigation
ADOM Level Block IP Address	Blocks IP addresses at the ADOM level on Fortinet FortiGate based on the IPv4 policy, address group name, and other input parameters you have specified.	block_ip Containment
ADOM Level Unblock IP Address	Unlocks IP addresses at the ADOM level on Fortinet FortiGate based on the IPv4 policy, address group name, and other input parameters you have specified.	unblock_ip Remediation
Re-install Policy	Reinstalls an IPv4 Policy in Fortinet FortiManager based on the ADOM Name and policy package name you have specified.	reinstall_policy Investigation
List Global Policy Package	Retrieves a list of all policy packages or specific policy packages from Fortinet FortiManager based on the search parameters you have specified.	get_global_policy_package Investigation
List Global IPv4 Policy	Retrieves a list of all global IPv4 policies or specific IPv4 policies from Fortinet FortiManager based on the search parameters you have specified.	get_global_policy Investigation
Global Level Get Blocked IP Addresses	Retrieves a list of Global (header/footer policy) level IP Addresses that are blocked on Fortinet FortiGate through Fortinet FortiManager based on the IPv4 policy, address group name, and other input parameters you have specified.	get_blocked_ip Investigation
Global Level Block IP Address	Blocks IP addresses at the global level on Fortinet FortiGate based on the IPv4 header/footer policy, address group name, and other input parameters you have specified.	block_ip Containment
Global Level Unblock IP Address	Unblocks IP addresses at the global level on Fortinet FortiGate based on the IPv4 header/footer policy, address group name, and other input parameters you have specified.	unblock_ip Remediation
Assign Global Policy Package	Assigns a global policy package to ADOM packages in Fortinet FortiManager based on the policy package name, ADOM devices, and other input parameters you have specified.	global_assign_policy Investigation

operation: Create Incident

Input parameters

Parameter	Description
ADOM	(Optional) The administrative domain name (ADOM) of the Fortinet FortiManager server to which you will connect and perform the automated operations. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter.
Reporter	Name of the reporter of the incident that you want to create in Fortinet FortiManager. For example, admin.
Endpoint Name	Details of the endpoint affected by the incident that you want to create in Fortinet FortiAnalyzer. For example, `11.XXX.YY.Z/32 (11.XXX.YY.Z) or 11.XXX.YY.Z/32 (Emp1 Laptop).`
Endpoint ID	(Optional) Endpoint ID that you want to assign to the incident you want to create in Fortinet FortiManager.
End User ID	(Optional) End-user ID that you want to assign to the incident you want to create in Fortinet FortiManager.
Category	(Optional) The category you want to assign to the incident you want to create in Fortinet FortiManager. You can choose from the following options: Unauthorized access, Denial of Service, Malicious Code, Improper Usage, Scans/Probes/Attempted Access, or Uncategorized.
Severity	(Optional) The severity level you want to assign to the incident you want to create in Fortinet FortiManager. You can choose from the following options: High, Medium, or Low.
Status	(Optional) The status you want to assign to the incident you want to create in Fortinet FortiManager. You can choose from the following options: New, Analysis, Response, Closed: Remediated, or Closed: False Positive.
Description	(Optional) Description of the new incident that you want to create in Fortinet FortiManager.

Output

The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"incid": ""
}
}

operation: List Incident

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter	Description
ADOM	The administrative domain name (ADOM) of the Fortinet FortiManager server to which you will connect and perform the automated operations. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter.
Incident ID	The ID of incidents in CSV or list format that you want to retrieve from Fortinet FortiManager.
Detail Level	Level of detail of the incidents that you want to retrieve from Fortinet FortiManager. By default, this is set to "Standard".
Filter	Query in the format of `field_name="field_value"` using which you want to filter incidents to be retrieved from Fortinet FortiManager For example `category="CAT2" and severity="medium"`
Sort By	Sorts the incidents by the specified field and order the results. If you choose "Field", then you can specify the following parameters: In the Field field specify the name of the field on which you want to sort the result. For example, severity, category, etc. (Optional) In the Order field choose the order in which you want to sort the result. You can choose between Ascending or Descending. By default, this is set to Ascending.
Limit	The maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000".
Offset	Index of the first item to return. Values supported are: Default "0" and Minimum "0".

Output

The output contains the following populated JSON schema:

Output schema when you choose “Detail Level” as 'Basic':
{
"jsonrpc": "",
"id": "",
"result": {
"status": {
"code": "",
"message": ""
},
"detail-level": "",
"data": [
{
"attach_revision": "",
"attach_lastupdate": "",
"lastupdate": "",
"revision": "",
"incid": ""
}
]
}
}

Output schema when you choose “Detail Level” as 'Extended':
{
"result": {
"data": [
{
"endpoint": "",
"euname": "",
"epip": "",
"status": "",
"incid": "",
"attachments": [
{
"lastupdate": "",
"attachid": "",
"revision": ""
}
],
"lastupdate": "",
"osversion": "",
"attach_lastupdate": "",
"euid": "",
"category": "",
"epid": "",
"epname": "",
"revision": "",
"reporter": "",
"createtime": "",
"description": "",
"osname": "",
"mac": "",
"lastuser": "",
"severity": "",
"attach_revision": "",
"refinfo": ""
}
],
"detail-level": "",
"status": {
"message": "",
"code": ""
}
},
"id": "",
"jsonrpc": ""
}

Output schema when you choose “Detail Level” as 'Standard' or you do not select any detail level:
{
"result": {
"data": [
{
"endpoint": "",
"reporter": "",
"createtime": "",
"description": "",
"status": "",
"incid": "",
"severity": "",
"lastuser": "",
"attach_lastupdate": "",
"lastupdate": "",
"euid": "",
"attach_revision": "",
"category": "",
"refinfo": "",
"epid": "",
"revision": ""
}
],
"detail-level": "",
"status": {
"message": "",
"code": ""
}
},
"id": "",
"jsonrpc": ""
}

operation: Get Events Related to Incident

Input parameters

Parameter	Description
ADOM	(Optional) The administrative domain name (ADOM) of the Fortinet FortiManager server to which you will connect and perform the automated operations. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter.
Incident ID	The ID of the incident whose associated events you want to retrieve from Fortinet FortiManager.
Attachment Type	Types of attachment that you want to search for in Fortinet FortiManager. Valid types include: Alert Event, Log, Comment, Log Search Filter, Upload File, or Report.
Limit	The maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000".
Offset	Index of the first item to return. Values supported are: Default "0" and Minimum "0".

Output

The output contains the following populated JSON schema:
{
"result": {
"data": [
{
"attachtype": "",
"lastupdate": "",
"incid": "",
"attachid": "",
"createtime": "",
"data": "",
"lastuser": "",
"revision": ""
}
],
"status": {
"message": "",
"code": ""
}
},
"id": "",
"jsonrpc": ""
}

operation: Get Device List

Input parameters

Parameter	Description
ADOM	(Optional) The administrative domain name (ADOM) of the Fortinet FortiManager server to which you will connect and perform the automated operations. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter.
Device Name	Valid device name based on which you want to retrieve details of devices from Fortinet FortiManager. Note: If a parameter is left blank or null, then this operation will return devices matching all values.

Output

The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"url": "",
"status": {
"code": "",
"message": ""
},
"data": [
{
"os_ver": "",
"build": "",
"ips_ext": "",
"foslic_inst_time": "",
"mgmt.__data[5]": "",
"lic_region": "",
"latitude": "",
"foslic_ram": "",
"faz.perm": "",
"branch_pt": "",
"ips_ver": "",
"foslic_utm": "",
"source": "",
"foslic_cpu": "",
"mgmt.__data[3]": "",
"mgmt.__data[2]": "",
"ha_mode": "",
"opts": "",
"last_resync": "",
"foslic_last_sync": "",
"conn_status": "",
"mgmt.__data[7]": "",
"patch": "",
"hw_rev_minor": "",
"mgmt.__data[1]": "",
"psk": "",
"checksum": "",
"faz.quota": "",
"ha_group_id": "",
"adm_usr": "",
"ha_group_name": "",
"faz.used": "",
"tunnel_cookie": "",
"conf_status": "",
"mgmt.__data[6]": "",
"last_checked": "",
"version": "",
"mgmt.__data[0]": "",
"ha_slave": "",
"name": "",
"longitude": "",
"platform_str": "",
"foslic_dr_site": "",
"tunnel_ip": "",
"oid": "",
"foslic_type": "",
"prefer_img_ver": "",
"location_from": "",
"vm_cpu_limit": "",
"mgmt_if": "",
"faz.full_act": "",
"av_ver": "",
"fex_cnt": "",
"fsw_cnt": "",
"mgmt.__data[4]": "",
"vm_mem": "",
"sn": "",
"logdisk_size": "",
"lic_flags": "",
"hostname": "",
"vm_mem_limit": "",
"vdom": [
{
"tab_status": "",
"opmode": "",
"name": "",
"devid": "",
"rtm_prof_id": "",
"status": "",
"comments": "",
"oid": "",
"ext_flags": "",
"node_flags": "",
"vpn_id": "",
"flags": ""
}
],
"tab_status": "",
"adm_pass": [],
"mgmt_id": "",
"beta": "",
"dev_status": "",
"os_type": "",
"vm_lic_expire": "",
"mgmt_mode": "",
"hdisk_size": "",
"ip": "",
"vm_status": "",
"db_status": "",
"mr": "",
"module_sn": "",
"hw_rev_major": "",
"flags": "",
"desc": "",
"app_ver": "",
"maxvdom": "",
"vm_cpu": "",
"conn_mode": "",
"node_flags": "",
"fap_cnt": "",
"mgt_vdom": ""
}
]
}
]
}

operation: Get Events

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter	Description
ADOM	The administrative domain name (ADOM) of the Fortinet FortiManager server to which you will connect and perform the automated operations. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter.
Filter	Filter expression using which you want to retrieve events from Fortinet FortiManager. `'event_value', 'severity', 'triggername', 'count', 'comment' and 'flags'` are supported. For example, `triggername='Local Device Event' and severity>=3 or subject='desc:User login from SSH failed'`
Time Range	Select this checkbox to specify the time range for which you want to retrieve events from Fortinet FortiManager. If you select this checkbox, then you must specify the following parameters: Start Time: Starting DateTime from when you want to retrieve events from Fortinet FortiManager. Consider the timezone as Fortinet FortiAnalyzer's timezone, if the timezone info is not specified. Format: 'yyyy-MM-dd'T'HH:mm:ssZ' (RFC 3339) e.g. '2016-10-17T20:45:37-07:00 or 'yyyy-MM-dd HH:mm:ss' e.g. '2016-10-17 20:45:37' End Time: Ending DateTime till when you want to retrieve events from Fortinet FortiManager. Consider the timezone as Fortinet FortiAnalyzer's timezone, if the timezone info is not specified. Format: 'yyyy-MM-dd'T'HH:mm:ssZ' (RFC 3339) e.g. '2016-10-17T20:45:37-07:00 or 'yyyy-MM-dd HH:mm:ss' e.g. '2016-10-17 20:45:37'
Limit	The maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000".
Offset	Index of the first item to return. Values supported are: Default "0" and Minimum "0".

Output

The output contains the following populated JSON schema:
{
"jsonrpc": "",
"result": {
"data": [
{
"alerttime": "",
"triggername": "",
"devname": "",
"vdom": "",
"filterid": "",
"filterkey": "",
"devtype": "",
"eventtype": "",
"groupby1": "",
"euid": "1",
"subject": "",
"devid": "",
"alertid": "",
"extrainfo": "",
"euname": "",
"epname": "",
"ackflag": "",
"logcount": "",
"filtercksum": "",
"tag": "",
"updatetime": "",
"epid": "1",
"severity": "",
"readflag": "",
"lastlogtime": "",
"firstlogtime": ""
}
]
},
"id": ""
}

operation: Get Event Details

Input parameters

Parameter	Description
ADOM	(Optional) The administrative domain name (ADOM) of the Fortinet FortiManager server to which you will connect and perform the automated operations. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter.
Alert ID	The ID of alerts in CSV or list format whose event details (logs) you want to retrieve from Fortinet FortiManager. Note: You can find the "Alert IDs" using the "Get Events" action.
Time Order	Select the order in which you want to sort the result. You can choose between Ascending or Descending. By default, this is set to Descending.
Limit	The maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000".
Offset	Index of the first item to return. Values supported are: Default "0" and Minimum "0".

Output

The output contains the following populated JSON schema:
{
"id": "",
"result": {
"data": [
{
"log_id": "",
"devname": "",
"userfrom": "",
"time": "",
"dstepid": "",
"desc": "",
"user": "",
"dtime": "",
"msg": "",
"type": "",
"devid": "",
"dsteuid": "",
"euid": "",
"date": "",
"idseq": "",
"itime_t": "",
"epid": "",
"subtype": "",
"level": "",
"itime": ""
}
]
},
"jsonrpc": ""
}

operation: Update Incident

Input parameters

Parameter	Description
ADOM	(Optional) The administrative domain name (ADOM) of the Fortinet FortiManager server to which you will connect and perform the automated operations. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter.
Incident ID	The ID of the incident that you want to update in FortiManager.
Endpoint Name	Details of the endpoint affected by the incident that you want to update in Fortinet FortiAnalyzer. For example, `11.XXX.YY.Z/32 (11.XXX.YY.Z) or 11.XXX.YY.Z/32 (Emp1 Laptop).`
Endpoint ID	(Optional) Endpoint ID that you want to assign to the incident you want to update in Fortinet FortiManager.
End User ID	(Optional) End-user ID that you want to assign to the incident you want to update in Fortinet FortiManager.
Category	(Optional) The category you want to assign to the incident you want to update in Fortinet FortiManager. You can choose from the following options: Unauthorized access, Denial of Service, Malicious Code, Improper Usage, Scans/Probes/Attempted Access, or Uncategorized.
Severity	(Optional) The severity level you want to assign to the incident you want to update in Fortinet FortiManager. You can choose from the following options: High, Medium, or Low.
Status	(Optional) The status you want to assign to the incident you want to update in Fortinet FortiManager. You can choose from the following options: New, Analysis, Response, Closed: Remediated, or Closed: False Positive.
Description	(Optional) Description of the incident that you want to update in Fortinet FortiManager.
Last Revision	(Optional) Last version of the incident that you want to update in Fortinet FortiManager.
Last User	(Optional) Last user of the incident that you want to update in Fortinet FortiManager.

Output

The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"status": {
"code": "",
"message": ""
}
}
}

operation: List ADOM Policy Package

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter	Description
ADOM Name	Specify the ADOM name whose policy package you want to retrieve from Fortinet FortiManager. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter.
Policy Package Name	Select the policy package name whose details you want to retrieve from Fortinet FortiManager This parameter makes an API call named "`list_adom_policy_package`" to dynamically populate its dropdown selection.
Policy Package/Folder Path	Specify the policy package or folder path of the ADOM policy package whose details you want to retrieve from Fortinet FortiManager.

Output

The output contains the following populated JSON schema:

Output schema when the 'Policy Package Name' is empty
{
"result": [
{
"data": [
{
"type": "",
"package settings": {
"consolidated-firewall-mode": "",
"fwpolicy6-implicit-log": "",
"fwpolicy-implicit-log": "",
"ngfw-mode": "",
"central-nat": ""
},
"oid": "",
"name": "",
"scope member": [
{
"vdom": "",
"name": ""
}
],
"obj ver": ""
}
],
"url": "",
"status": {
"code": "",
"message": ""
}
}
],
"id": ""
}

Default Output schema
{
"id": "",
"result": [
{
"status": {
"code": "",
"message": ""
},
"data": {
"obj ver": "",
"name": "",
"type": "",
"scope member": [
{
"name": "",
"vdom": ""
}
],
"oid": "",
"package settings": {
"ngfw-mode": "",
"consolidated-firewall-mode": "",
"fwpolicy6-implicit-log": "",
"fwpolicy-implicit-log": "",
"central-nat": ""
}
},
"url": ""
}
]
}

operation: List ADOM IPv4 Policy

Input parameters

Parameter	Description
ADOM Name	(Optional) Specify the ADOM name whose ADOM IPv4 policy you want to retrieve from Fortinet FortiManager. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter.
Policy Package Name	Select the policy package name whose IPv4 policy details you want to retrieve from Fortinet FortiManager. This parameter makes an API call named "`list_adom_policy_package`" to dynamically populate its dropdown selection.
Policy Package/Folder Path	(Optional) Specify the policy package or folder path of the ADOM IPv4 policy whose details you want to retrieve from Fortinet FortiManager.
IPv4 Policy Name	(Optional) Specify IPv4 policy name whose details you want to retrieve from Fortinet FortiManager.

Output

The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"data": [
{
"_last_hit": "",
"_byte": "",
"custom-log-fields": [],
"_pkts": "",
"anti-replay": "",
"_first_hit": "",
"webproxy-profile": [],
"delay-tcp-npu-session": "",
"dstaddr-negate": "",
"tcp-mss-receiver": "",
"internet-service": "",
"srcaddr": [],
"traffic-shaper": [],
"vpn_dst_node": "",
"match-vip-only": "",
"_hitcount": "",
"schedule": [],
"fsso-agent-for-ntlm": [],
"permit-any-host": "",
"schedule-timeout": "",
"radius-mac-auth-bypass": "",
"email-collect": "",
"name": "",
"ssl-mirror-intf": [],
"status": "",
"policyid": "",
"vlan-cos-fwd": "",
"vpn_src_node": "",
"nat": "",
"block-notification": "",
"logtraffic-start": "",
"per-ip-shaper": [],
"tos-negate": "",
"traffic-shaper-reverse": [],
"logtraffic": "",
"np-acceleration": "",
"session-ttl": "",
"uuid": "",
"service-negate": "",
"srcaddr-negate": "",
"wccp": "",
"_policy_block": "",
"action": "",
"groups": [],
"fsso": "",
"tos": "",
"internet-service-src": "",
"utm-status": "",
"natip": [],
"capture-packet": "",
"dstaddr": [],
"tcp-mss-sender": "",
"_first_session": "",
"_sesscount": "",
"_global-vpn-tgt": "",
"srcintf": [],
"tcp-session-without-syn": "",
"timeout-send-rst": "",
"ssl-ssh-profile": [],
"fsso-groups": [],
"service": [],
"vlan-cos-rev": "",
"captive-portal-exempt": "",
"users": [],
"app-group": [],
"webcache-https": "",
"geoip-anycast": "",
"diffserv-forward": "",
"profile-type": "",
"rtp-nat": "",
"reputation-direction": "",
"disclaimer": "",
"webproxy-forward-server": [],
"inspection-mode": "",
"obj seq": "",
"auto-asic-offload": "",
"_global-vpn": [],
"ssl-mirror": "",
"dstintf": [],
"_last_session": "",
"match-vip": "",
"diffserv-reverse": "",
"dsri": "",
"tos-mask": "",
"reputation-minimum": "",
"profile-protocol-options": [],
"replacemsg-override-group": []
}
],
"status": {
"message": "",
"code": ""
},
"url": ""
}
]
}

operation: ADOM Level Get Blocked IP Addresses

Input parameters

Parameter	Description
ADOM	(Optional) Specify the ADOM name whose associated list of blocked IP addresses you want to retrieve from Fortinet FortiManager. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter.
Policy Package Name	Select the policy package name whose associated blocked IP addresses you want to retrieve from Fortinet FortiManager. This parameter makes an API call named "`list_adom_policy_package`" to dynamically populate its dropdown selection.
Policy Package/Folder Path	(Optional) Specify the policy package or folder path of the ADOM IPv4 policy whose associated blocked IP addresses you want to retrieve from Fortinet FortiManager.
IPv4 Policy Name	Specify the IPv4 policy name associated with the blocked IP addresses you want to retrieve from Fortinet FortiManager.
Address Group Name	Name of the IP address group name, in the "CSV" or "list" format, that you have specified in Fortinet FortiManager for blocking or unblocking IP addresses. For more information, see the Blocking or Unblocking IP addresses in Fortinet FortiManager section.

Output

The output contains the following populated JSON schema:
{
"policy_name": "",
"dstaddr": [],
"srcaddr": [],
"addrgrp": [
{
"name": "",
"member": []
}
],
"addrgrp_not_exist": []
}

operation: ADOM Level Block IP Address

Input parameters

Parameter	Description
ADOM Name	(Optional) Specify the ADOM name whose associated IP addresses you want to block in the IPv4 policy of Fortinet FortiManager. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter.
Policy Package Name	Select the policy package name whose associated IP addresses you want to block in the IPv4 policy of Fortinet FortiManager. This parameter makes an API call named "`list_adom_policy_package`" to dynamically populate its dropdown selection.
Policy Package/Folder Path	(Optional) Specify the policy package or folder path of the ADOM IPv4 policy whose associated IP addresses you want to block in Fortinet FortiManager.
IPv4 Policy Name	Name of the IPv4 Policy that you have specified in Fortinet FortiManager for blocking or unblocking IP addresses.
Address Group Name	Name of the IP address group name that you have specified in Fortinet FortiManager for blocking or unblocking IP addresses. For more information, see the Blocking or Unblocking IP addresses in Fortinet FortiManager section.
IP Address	Specify the IP addresses that you want to block using Fortinet FortiManager in the "CSV" or "list" format. For example, `["1.1.1.1", "2.2.2.2"] or "1.1.1.1", "2.2.2.2"`.

Output

The output contains the following populated JSON schema:
{
"already_blocked": [],
"newly_blocked": [],
"error_with_block": []
}

operation: ADOM Level Unblock IP Address

Input parameters

Parameter	Description
ADOM Name	(Optional) Specify the ADOM name whose associated IP addresses you want to unblock in the IPv4 policy of Fortinet FortiManager. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter.
Policy Package Name	Select the policy package name whose associated IP addresses you want to unblock in the IPv4 policy of Fortinet FortiManager. This parameter makes an API call named "`list_adom_policy_package`" to dynamically populate its dropdown selection.
Policy Package/Folder Path	(Optional) Specify the policy package or folder path of the ADOM IPv4 policy whose associated IP addresses you want to unblock in Fortinet FortiManager.
IPv4 Policy Name	Name of the IPv4 Policy that you have specified in Fortinet FortiManager for blocking or unblocking IP addresses.
Address Group Name	Name of the IP address group name, that you have specified in Fortinet FortiManager for blocking or unblocking IP addresses. For more information, see the Blocking or Unblocking IP addresses in Fortinet FortiManager section.
IP Address	Specify the IP addresses that you want to unblock using Fortinet FortiManager in the "CSV" or "list" format. For example, `["1.1.1.1", "2.2.2.2"] or "1.1.1.1", "2.2.2.2"`.

Output

The output contains the following populated JSON schema:
{
"not_exist": [],
"newly_unblocked": [],
"error_with_unblock": []
}

operation: Re-install Policy

Input parameters

Parameter	Description
ADOM Name	(Optional) Specify the ADOM name to which you want to apply the IPv4 policy in Fortinet FortiManager. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter.
Policy Package Name	Select the policy package name to which you want to apply the IPv4 policy in Fortinet FortiManager. This parameter makes an API call named "`list_adom_policy_package`" to dynamically populate its dropdown selection.
Policy Package/Folder Path	(Optional) Specify the policy package or folder path to apply the IPv4 policy in Fortinet FortiManager.

Output

The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"data": {
"task": ""
},
"status": {
"message": "",
"code": ""
},
"url": ""
}
]
}

operation: List Global Policy Package

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter	Description
Package Name	Specify the name of the global policy package name from which you want to retrieve package details.
Policy Package/Folder Path	Specify the policy package or folder path from which you want to retrieve package details.

Output

The output contains the following populated JSON schema:

Output schema when the 'Policy Package Name' is empty
{
"result": [
{
"url": "",
"data": [
{
"type": "",
"package settings": {
"ngfw-mode": "",
"central-nat": "",
"consolidated-firewall-mode": "",
"fwpolicy-implicit-log": "",
"fwpolicy6-implicit-log": ""
},
"scope member": [
{
"name": ""
}
],
"obj ver": "",
"name": "",
"oid": ""
}
],
"status": {
"message": "",
"code": ""
}
}
],
"id": ""
}

Default Output schema
{
"result": [
{
"url": "",
"data": {
"type": "",
"package settings": {
"ngfw-mode": "",
"central-nat": "",
"consolidated-firewall-mode": "",
"fwpolicy-implicit-log": "",
"fwpolicy6-implicit-log": ""
},
"scope member": [
{
"name": ""
}
],
"obj ver": "",
"name": "",
"oid": ""
},
"status": {
"message": "",
"code": ""
}
}
],
"id": ""
}

operation: List Global IPv4 Policy

Input parameters

Parameter	Description
Policy Package Name	Specify the name of the global IPv4 policy package from which you want to retrieve package details. This parameter makes an API call named "`list_global_policy_pck`" to dynamically populate its dropdown selections.
Policy Package/Folder Path	(Optional) Specify the policy package or folder path from which you want to retrieve package details.
Policy Type	Select the policy type from which you want to retrieve IPv4 policy details.
Policy Name	(Optional) Specify the name of the global IPv4 policy whose details you want to retrieve from Fortinet FortiManager.

Output

The output contains the following populated JSON schema:
{
"result": [
{
"url": "",
"data": [
{
"ssl-ssh-profile": [],
"_pkts": "",
"disclaimer": "",
"diffserv-reverse": "",
"replacemsg-override-group": [],
"dstaddr": [],
"per-ip-shaper": [],
"vlan-cos-rev": "",
"schedule": [],
"wccp": "",
"_byte": "",
"status": "",
"groups": [],
"block-notification": "",
"_global-vpn": [],
"webcache-https": "",
"obj seq": "",
"utm-status": "",
"webproxy-profile": [],
"tcp-mss-receiver": "",
"tos-negate": "",
"profile-type": "",
"reputation-minimum": "",
"timeout-send-rst": "",
"policyid": "",
"dstaddr-negate": "",
"traffic-shaper": [],
"profile-protocol-options": [],
"internet-service": "",
"reputation-direction": "",
"natip": [],
"session-ttl": "",
"vlan-cos-fwd": "",
"delay-tcp-npu-session": "",
"webproxy-forward-server": [],
"email-collect": "",
"np-acceleration": "",
"fsso-agent-for-ntlm": [],
"identity-based-policy": "",
"name": "",
"tos": "",
"_first_session": "",
"uuid": "",
"_sesscount": "",
"match-vip": "",
"logtraffic": "",
"schedule-timeout": "",
"traffic-shaper-reverse": [],
"tos-mask": "",
"permit-any-host": "",
"anti-replay": "",
"capture-packet": "",
"ssl-mirror-intf": [],
"srcaddr": [],
"service": [],
"internet-service-src": "",
"dstintf": [],
"_last_hit": "",
"_hitcount": "",
"_first_hit": "",
"gtp-profile": [],
"radius-mac-auth-bypass": "",
"diffserv-forward": "",
"geoip-anycast": "",
"tcp-mss-sender": "",
"app-group": [],
"rtp-nat": "",
"inspection-mode": "",
"tcp-session-without-syn": "",
"logtraffic-start": "",
"auto-asic-offload": "",
"action": "",
"fsso-groups": [],
"fsso": "",
"_global-vpn-tgt": "",
"captive-portal-exempt": "",
"users": [],
"custom-log-fields": [],
"dsri": "",
"srcintf": [],
"nat": "",
"service-negate": "",
"match-vip-only": "",
"ssl-mirror": "",
"_last_session": "",
"srcaddr-negate": ""
}
],
"status": {
"message": "",
"code": ""
}
}
],
"id": ""
}

operation: Global Level Get Blocked IP Addresses

Input parameters

Parameter	Description
Policy Package Name	Specify the name of the global IPv4 policy whose associated blocked IP addresses you want to retrieve from Fortinet FortiManager. This parameter makes an API call named "`list_global_policy_pck`" to dynamically populate its dropdown selections.
Policy Package/Folder Path	(Optional) Specify the policy package or folder path of the global IPv4 policy whose associated blocked IP addresses you want to retrieve from Fortinet FortiManager.
Policy Type	Select policy type based on which you want to retrieve blocked IP addresses from Fortinet FortiManager.
IPv4 Policy Name	Specify the IPv4 policy name associated with the blocked IP addresses you want to retrieve from Fortinet FortiManager.
Address Group Name	Name of the IP address group name, in the "CSV" or "list" format, that you have specified in Fortinet FortiManager for blocking or unblocking IP addresses. For more information, see the Blocking or Unblocking IP addresses in Fortinet FortiManager section.

Output

operation: Global Level Block IP Address

Input parameters

Parameter	Description
Policy Package Name	Select the policy package whose associated IP addresses you want to block in the global IPv4 policy of Fortinet FortiManager. This parameter makes an API call named "`list_global_policy_pck`" to dynamically populate its dropdown selections.
Policy Package/Folder Path	(Optional) Specify the policy package or folder path of the global IPv4 policy whose associated IP addresses you want to block in Fortinet FortiManager.
Policy Type	Select policy type whose IP addresses you want to block in Fortinet FortiManager.
IPv4 Policy Name	Name of the IPv4 Policy that you have specified in Fortinet FortiManager for blocking or blocking IP addresses.
Address Group Name	Name of the IP address group name, that you have specified in Fortinet FortiManager for blocking or unblocking IP addresses. For more information, see the Blocking or Unblocking IP addresses in Fortinet FortiManager section.
IP Address	IP addresses that you want to block using Fortinet FortiManager in the "CSV" or "list" format.For example, `["1.1.1.1", "2.2.2.2"] or "1.1.1.1", "2.2.2.2"`.

Output

The output contains the following populated JSON schema:
{
"already_blocked": [],
"newly_blocked": [],
"error_with_block": []
}

operation: Global Level Unblock IP Address

Input parameters

Parameter	Description
Policy Package Name	Select the policy package whose associated IP addresses you want to unblock in the global IPv4 policy of Fortinet FortiManager. This parameter makes an API call named "`list_global_policy_pck`" to dynamically populate its dropdown selections.
Policy Package/Folder Path	(Optional) Specify the policy package or folder path of the global IPv4 policy whose associated IP addresses you want to unblock in Fortinet FortiManager.
Policy Type	Select policy type whose IP addresses you want to unblock in Fortinet FortiManager.
IPv4 Policy Name	Name of the IPv4 Policy that you have specified in Fortinet FortiManager for blocking or blocking IP addresses.
Address Group Name	Name of the IP address group name, that you have specified in Fortinet FortiManager for blocking or unblocking IP addresses. For more information, see the Blocking or Unblocking IP addresses in Fortinet FortiManager section.
IP Address	IP addresses that you want to unblock using Fortinet FortiManager in the "CSV" or "list" format.For example, `["1.1.1.1", "2.2.2.2"] or "1.1.1.1", "2.2.2.2"`.

Output

The output contains the following populated JSON schema:
{
"not_exist": [],
"newly_unblocked": [],
"error_with_unblock": []
}

operation: Assign Global Policy Package

Input parameters

Parameter	Description
Policy Package Name	Select the policy package that you want to assign to ADOM devices in the global IPv4 policy of Fortinet FortiManager. This parameter makes an API call named "`list_global_policy_pck`" to dynamically populate its dropdown selections.
Policy Package/Folder Path	Specify the policy package or folder path of the global policy package that you want to assign to ADOM devices in Fortinet FortiManager.
ADOM Devices	Specify one or more destination ADOMs to which you want to assign the selected global policy package. This parameter makes an API call named "`list_global_adom`" to dynamically populate its dropdown selections.

Output

The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"data": {
"task": ""
},
"status": {
"message": "",
"code": ""
},
"url": ""
}
]
}

Included playbooks

The Sample - Fortinet Fortimanager - 2.0.1 playbook collection comes bundled with the Fortinet FortiManager connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Fortinet FortiManager connector.

ADOM Level Block IP Address
ADOM Level Get Blocked IP Addresses
ADOM Level Unblock IP Address
Assign Global Policy Package
Create Incident
> FortiManager > Fetch
>> FortiManager > Handle Macro
FortiManager > Ingest
Get Device List
Get Event Details
Get Events
Get Events Related to Incident
Global Level Block IP Address
Global Level Get Blocked IP Addresses
Global Level Unblock IP Address
List ADOM IPv4 Policy
List ADOM Policy Package
List Global IPv4 Policy
List Global Policy Package
List Incident
Re-install Policy
Update Incident

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

Data Ingestion Support

Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Fortinet FortiManager. Currently, "incidents" in Fortinet FortiManager are mapped to "alerts" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.

Configure Data Ingestion

You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming Fortinet FortiManager "Incidents" to FortiSOAR™ "Alerts".

The Data Ingestion Wizard enables you to configure scheduled pulling of data from Fortinet FortiManager into FortiSOAR™. It also lets you pull some sample data from Fortinet FortiManager using which you can define the mapping of data between Fortinet FortiManager and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the Fortinet FortiManager incident.

To begin configuring data ingestion, click Configure Data Ingestion on the Fortinet FortiManager connector’s "Configurations" page.
Click Let’s Start by fetching some data, to open the “Fetch Sample Data” screen.

Sample data is required to create a field mapping between Fortinet FortiManager data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
On the Fetch Data screen, provide the configurations required to fetch Fortinet FortiManager data.
Users can choose to pull data from Fortinet FortiManager by specifying the last X minutes in which the incidents have been created or updated in Fortinet FortiManager. You can also specify a query to filter data retrieved from Fortinet FortiManager and can also specify additional parameters such as the category, severity, and status of the incidents to be fetched from Fortinet FortiManager. The fetched data is used to create a mapping between the Fortinet FortiManager data and FortiSOAR™ alerts.

Once you have completed specifying the configurations, click Fetch Data.
On the Field Mapping screen, map the fields of a Fortinet FortiManager incident to the fields of an alert present in FortiSOAR™.
To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the status parameter of a Fortinet FortiManager incident to the state parameter of a FortiSOAR™ alert, click the State field and then click the status field to populate its keys:

For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed mapping the fields, click Save Mapping & Continue.
Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Fortinet FortiManager, so that the content gets pulled from the Fortinet FortiManager integration into FortiSOAR™.
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if you want to pull data from Fortinet FortiManager every 5 minutes, click Every X Minute, and in the minute box enter */5. This would mean that based on the configuration you have set up, data, i.e., incidents will be pulled from Fortinet FortiManager every 5 minutes.

Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.

About the connector

Fortinet FortiManager provides easy centralized configuration, policy-based provisioning, update management, and end-to-end network monitoring for your Fortinet installed environment.

You can use FortiSOAR™'s Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Fortinet FortiManager. For more information, see the Data Ingestion Support section.

Version information

Connector Version: 2.0.1

FortiSOAR™ Version Tested on: 7.0.2-664

Fortinet FortiManager Version Tested on: FortiManager VM64-KVM v7.0.1 Interim build4653

Authored By: Fortinet

Certified: Yes

Release Notes for version 2.0.1

Following changes have been made to the Fortinet FortiManager Connector in version 2.0.1:

Fixed an issue that caused the "Health Check" to fail if FortiAnalyzer (FAZ) was not enabled in FortiManager (FMG).

Installing the connector

yum install cyops-connector-fortinet-fortimanager

Prerequisites to configuring the connector

You must have the IP address or hostname of the Fortinet FortiManager server to which you will connect and perform automated operations and credentials (username-password pair) to access that server.
You must enable "FortiAnalyzer Features" in FortiManager to perform the following operations:
- Create Incident
- List Incident
- Get Events Related to Incident
- Get Events
- Get Events Details
- Update Incident
You must enable "Administrative Domain" features in FortiManager.
The FortiSOAR™ server should have outbound connectivity to port 443 on the Fortinet FortiManager server.
You must add the configurations required to block or unblock IP addresses in Fortinet FortiManager. For more information, see the Blocking or Unblocking IP addresses in Fortinet FortiManager section.

Blocking or Unblocking IP addresses in Fortinet FortiManager

Log on to the Fortinet FortiManager server with the necessary credentials.
To block or unblock an IP address, you must create a policy for IP addresses on the Fortinet FortiManager server. The following steps define the process of adding a policy:
1. In Policy & Objects > Policy Packages, click IPv4 Policy or Firewall Policy to create a policy for IPv4 with the following conditions.
  IPv4 Source Address = Blocked_IPs
  IPv4 Destination Address = Blocked_IPs
  Schedule = always
  Service = ALL
  Action = DENY
  Note: You can create an IPv6 policy in a similar manner.
  For more information on address group exclusions, see the Create a new object topic in the FortiManager 6.2.2 Administration Guide.
2. In Policy & Objects > Object Configuration, click Address Group to create an address group with the following conditions.
  Group Name = Blocked_IPs
  Member = none
  Show in address list = enable
  For more information on creating address groups and address group exclusions, see the IP policies topic in the FortiManager 6.2.2 Administration Guide.
Users who are configuring Fortinet FortiManager for the first time have to perform the following steps for the 'Install' Policy:
1. Add devices to the “Installation Targets” where the user wants to install the IPv4/Firewall policy.
2. Navigate to the Device Manager select the Device that is specified in the installation target and click Install.
3. Click Install Policy Package & Device Settings and select the policy package where the IPv4 Policy or Firewall Policy is created.
4. Run the 'Install Wizard' completely.
Users who are configuring Fortinet FortiManager for the first time have to perform the following steps for the 'Assign Global Policy Package':
1. Add ADOM to the “Assignment” where the user wants to assign the Global Policy Package. For more information see the Assign a global policy package section in the FortiManager document
2. Select the ADOM that you have specified in the assignment.
3. Run the 'Assign Wizard' completely.

Minimum Permissions Required

The minimum privileges that require to be assigned to users who are going to use this connector and run actions on Fortinet FortiManager are:

Admin Profile - Super User
JSON API Access - Read & Write

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

Parameter	Description
Hostname	IP address or Hostname of the Fortinet FortiManager endpoint server to which you will connect and perform the automated operations.
Username	Username to access the Fortinet FortiManager server to which you will connect and perform the automated operations.
Password	Password to access the Fortinet FortiManager server to which you will connect and perform the automated operations.
ADOM	Administrative domain names (ADOMs) of the Fortinet FortiManager server to which you will connect and perform the automated operations. Enter the ADOMs, in the CSV or List format.
Port	Port number used to access the Fortinet FortiManager server to which you will connect and perform the automated operations. By default, this is set to 443.
Verify SSL	Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 onwards:

Function	Description	Annotation and Category
Create Incident	Creates an incident in Fortinet FortiManager based on the reporter name, endpoint name, and other input parameters you have specified.	create_incident Investigation
List Incident	Retrieves a list of all incidents or specific incidents from Fortinet FortiManager based on the search parameters you have specified.	get_incidents Investigation
Get Events Related to Incident	Retrieves details of events associated with a Fortinet FortiManager incident, based on the incident ID and other input parameters you have specified.	get_incident_events Investigation
Get Device List	Retrieves a list of all devices or specific devices from Fortinet FortiManager based on the search parameters you have specified. Note: If a parameter is left blank or null, then this operation will return devices matching all values.	get_devices Investigation
Get Events	Retrieves a list of all events or specific events from Fortinet FortiManager based on the search parameters you have specified. Note: If a parameter is left blank or null, then this operation will return events matching all values.	get_alert_event Investigation
Get Event Details	Retrieves a list of event details (logs) from Fortinet FortiManager based on the alert IDs and other search parameters you have specified.	get_alert_logs Investigation
Update Incident	Update an incident in Fortinet FortiManager based on the incident ID and other input parameters you have specified.	create_incident Investigation
List ADOM Policy Package	Retrieves a list of all ADOM policy packages or specific ADOM policy packages from Fortinet FortiManager based on the search parameters you have specified.	get_adom_policy_package Investigation
List ADOM IPv4 Policy	Retrieves a list of all ADOM IPv4 policies or specific ADOM IPv4 policies from Fortinet FortiManager based on the search parameters you have specified.	get_adom_policy Investigation
ADOM Level Get Blocked IP Addresses	Retrieves a list of ADOM level IP Addresses that are blocked on Fortinet FortiGate through Fortinet FortiManager based on the IPv4 policy, address group name, and other input parameters you have specified.	get_blocked_ip Investigation
ADOM Level Block IP Address	Blocks IP addresses at the ADOM level on Fortinet FortiGate based on the IPv4 policy, address group name, and other input parameters you have specified.	block_ip Containment
ADOM Level Unblock IP Address	Unlocks IP addresses at the ADOM level on Fortinet FortiGate based on the IPv4 policy, address group name, and other input parameters you have specified.	unblock_ip Remediation
Re-install Policy	Reinstalls an IPv4 Policy in Fortinet FortiManager based on the ADOM Name and policy package name you have specified.	reinstall_policy Investigation
List Global Policy Package	Retrieves a list of all policy packages or specific policy packages from Fortinet FortiManager based on the search parameters you have specified.	get_global_policy_package Investigation
List Global IPv4 Policy	Retrieves a list of all global IPv4 policies or specific IPv4 policies from Fortinet FortiManager based on the search parameters you have specified.	get_global_policy Investigation
Global Level Get Blocked IP Addresses	Retrieves a list of Global (header/footer policy) level IP Addresses that are blocked on Fortinet FortiGate through Fortinet FortiManager based on the IPv4 policy, address group name, and other input parameters you have specified.	get_blocked_ip Investigation
Global Level Block IP Address	Blocks IP addresses at the global level on Fortinet FortiGate based on the IPv4 header/footer policy, address group name, and other input parameters you have specified.	block_ip Containment
Global Level Unblock IP Address	Unblocks IP addresses at the global level on Fortinet FortiGate based on the IPv4 header/footer policy, address group name, and other input parameters you have specified.	unblock_ip Remediation
Assign Global Policy Package	Assigns a global policy package to ADOM packages in Fortinet FortiManager based on the policy package name, ADOM devices, and other input parameters you have specified.	global_assign_policy Investigation

operation: Create Incident

Input parameters

Parameter	Description
ADOM	(Optional) The administrative domain name (ADOM) of the Fortinet FortiManager server to which you will connect and perform the automated operations. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter.
Reporter	Name of the reporter of the incident that you want to create in Fortinet FortiManager. For example, admin.
Endpoint Name	Details of the endpoint affected by the incident that you want to create in Fortinet FortiAnalyzer. For example, `11.XXX.YY.Z/32 (11.XXX.YY.Z) or 11.XXX.YY.Z/32 (Emp1 Laptop).`
Endpoint ID	(Optional) Endpoint ID that you want to assign to the incident you want to create in Fortinet FortiManager.
End User ID	(Optional) End-user ID that you want to assign to the incident you want to create in Fortinet FortiManager.
Category	(Optional) The category you want to assign to the incident you want to create in Fortinet FortiManager. You can choose from the following options: Unauthorized access, Denial of Service, Malicious Code, Improper Usage, Scans/Probes/Attempted Access, or Uncategorized.
Severity	(Optional) The severity level you want to assign to the incident you want to create in Fortinet FortiManager. You can choose from the following options: High, Medium, or Low.
Status	(Optional) The status you want to assign to the incident you want to create in Fortinet FortiManager. You can choose from the following options: New, Analysis, Response, Closed: Remediated, or Closed: False Positive.
Description	(Optional) Description of the new incident that you want to create in Fortinet FortiManager.

Output

The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"incid": ""
}
}

operation: List Incident

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter	Description
ADOM	The administrative domain name (ADOM) of the Fortinet FortiManager server to which you will connect and perform the automated operations. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter.
Incident ID	The ID of incidents in CSV or list format that you want to retrieve from Fortinet FortiManager.
Detail Level	Level of detail of the incidents that you want to retrieve from Fortinet FortiManager. By default, this is set to "Standard".
Filter	Query in the format of `field_name="field_value"` using which you want to filter incidents to be retrieved from Fortinet FortiManager For example `category="CAT2" and severity="medium"`
Sort By	Sorts the incidents by the specified field and order the results. If you choose "Field", then you can specify the following parameters: In the Field field specify the name of the field on which you want to sort the result. For example, severity, category, etc. (Optional) In the Order field choose the order in which you want to sort the result. You can choose between Ascending or Descending. By default, this is set to Ascending.
Limit	The maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000".
Offset	Index of the first item to return. Values supported are: Default "0" and Minimum "0".

Output

The output contains the following populated JSON schema:

operation: Get Events Related to Incident

Input parameters

Parameter	Description
ADOM	(Optional) The administrative domain name (ADOM) of the Fortinet FortiManager server to which you will connect and perform the automated operations. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter.
Incident ID	The ID of the incident whose associated events you want to retrieve from Fortinet FortiManager.
Attachment Type	Types of attachment that you want to search for in Fortinet FortiManager. Valid types include: Alert Event, Log, Comment, Log Search Filter, Upload File, or Report.
Limit	The maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000".
Offset	Index of the first item to return. Values supported are: Default "0" and Minimum "0".

Output

operation: Get Device List

Input parameters

Parameter	Description
ADOM	(Optional) The administrative domain name (ADOM) of the Fortinet FortiManager server to which you will connect and perform the automated operations. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter.
Device Name	Valid device name based on which you want to retrieve details of devices from Fortinet FortiManager. Note: If a parameter is left blank or null, then this operation will return devices matching all values.

Output

operation: Get Events

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter	Description
ADOM	The administrative domain name (ADOM) of the Fortinet FortiManager server to which you will connect and perform the automated operations. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter.
Filter	Filter expression using which you want to retrieve events from Fortinet FortiManager. `'event_value', 'severity', 'triggername', 'count', 'comment' and 'flags'` are supported. For example, `triggername='Local Device Event' and severity>=3 or subject='desc:User login from SSH failed'`
Time Range	Select this checkbox to specify the time range for which you want to retrieve events from Fortinet FortiManager. If you select this checkbox, then you must specify the following parameters: Start Time: Starting DateTime from when you want to retrieve events from Fortinet FortiManager. Consider the timezone as Fortinet FortiAnalyzer's timezone, if the timezone info is not specified. Format: 'yyyy-MM-dd'T'HH:mm:ssZ' (RFC 3339) e.g. '2016-10-17T20:45:37-07:00 or 'yyyy-MM-dd HH:mm:ss' e.g. '2016-10-17 20:45:37' End Time: Ending DateTime till when you want to retrieve events from Fortinet FortiManager. Consider the timezone as Fortinet FortiAnalyzer's timezone, if the timezone info is not specified. Format: 'yyyy-MM-dd'T'HH:mm:ssZ' (RFC 3339) e.g. '2016-10-17T20:45:37-07:00 or 'yyyy-MM-dd HH:mm:ss' e.g. '2016-10-17 20:45:37'
Limit	The maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000".
Offset	Index of the first item to return. Values supported are: Default "0" and Minimum "0".

Output

operation: Get Event Details

Input parameters

Parameter	Description
ADOM	(Optional) The administrative domain name (ADOM) of the Fortinet FortiManager server to which you will connect and perform the automated operations. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter.
Alert ID	The ID of alerts in CSV or list format whose event details (logs) you want to retrieve from Fortinet FortiManager. Note: You can find the "Alert IDs" using the "Get Events" action.
Time Order	Select the order in which you want to sort the result. You can choose between Ascending or Descending. By default, this is set to Descending.
Limit	The maximum number of records that this operation should return. Values supported are: Default "50", Minimum "1" and Maximum "2000".
Offset	Index of the first item to return. Values supported are: Default "0" and Minimum "0".

Output

operation: Update Incident

Input parameters

Parameter	Description
ADOM	(Optional) The administrative domain name (ADOM) of the Fortinet FortiManager server to which you will connect and perform the automated operations. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter.
Incident ID	The ID of the incident that you want to update in FortiManager.
Endpoint Name	Details of the endpoint affected by the incident that you want to update in Fortinet FortiAnalyzer. For example, `11.XXX.YY.Z/32 (11.XXX.YY.Z) or 11.XXX.YY.Z/32 (Emp1 Laptop).`
Endpoint ID	(Optional) Endpoint ID that you want to assign to the incident you want to update in Fortinet FortiManager.
End User ID	(Optional) End-user ID that you want to assign to the incident you want to update in Fortinet FortiManager.
Category	(Optional) The category you want to assign to the incident you want to update in Fortinet FortiManager. You can choose from the following options: Unauthorized access, Denial of Service, Malicious Code, Improper Usage, Scans/Probes/Attempted Access, or Uncategorized.
Severity	(Optional) The severity level you want to assign to the incident you want to update in Fortinet FortiManager. You can choose from the following options: High, Medium, or Low.
Status	(Optional) The status you want to assign to the incident you want to update in Fortinet FortiManager. You can choose from the following options: New, Analysis, Response, Closed: Remediated, or Closed: False Positive.
Description	(Optional) Description of the incident that you want to update in Fortinet FortiManager.
Last Revision	(Optional) Last version of the incident that you want to update in Fortinet FortiManager.
Last User	(Optional) Last user of the incident that you want to update in Fortinet FortiManager.

Output

The output contains the following populated JSON schema:
{
"jsonrpc": "",
"id": "",
"result": {
"status": {
"code": "",
"message": ""
}
}
}

operation: List ADOM Policy Package

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter	Description
ADOM Name	Specify the ADOM name whose policy package you want to retrieve from Fortinet FortiManager. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter.
Policy Package Name	Select the policy package name whose details you want to retrieve from Fortinet FortiManager This parameter makes an API call named "`list_adom_policy_package`" to dynamically populate its dropdown selection.
Policy Package/Folder Path	Specify the policy package or folder path of the ADOM policy package whose details you want to retrieve from Fortinet FortiManager.

Output

The output contains the following populated JSON schema:

operation: List ADOM IPv4 Policy

Input parameters

Parameter	Description
ADOM Name	(Optional) Specify the ADOM name whose ADOM IPv4 policy you want to retrieve from Fortinet FortiManager. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter.
Policy Package Name	Select the policy package name whose IPv4 policy details you want to retrieve from Fortinet FortiManager. This parameter makes an API call named "`list_adom_policy_package`" to dynamically populate its dropdown selection.
Policy Package/Folder Path	(Optional) Specify the policy package or folder path of the ADOM IPv4 policy whose details you want to retrieve from Fortinet FortiManager.
IPv4 Policy Name	(Optional) Specify IPv4 policy name whose details you want to retrieve from Fortinet FortiManager.

Output

operation: ADOM Level Get Blocked IP Addresses

Input parameters

Parameter	Description
ADOM	(Optional) Specify the ADOM name whose associated list of blocked IP addresses you want to retrieve from Fortinet FortiManager. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter.
Policy Package Name	Select the policy package name whose associated blocked IP addresses you want to retrieve from Fortinet FortiManager. This parameter makes an API call named "`list_adom_policy_package`" to dynamically populate its dropdown selection.
Policy Package/Folder Path	(Optional) Specify the policy package or folder path of the ADOM IPv4 policy whose associated blocked IP addresses you want to retrieve from Fortinet FortiManager.
IPv4 Policy Name	Specify the IPv4 policy name associated with the blocked IP addresses you want to retrieve from Fortinet FortiManager.
Address Group Name	Name of the IP address group name, in the "CSV" or "list" format, that you have specified in Fortinet FortiManager for blocking or unblocking IP addresses. For more information, see the Blocking or Unblocking IP addresses in Fortinet FortiManager section.

Output

operation: ADOM Level Block IP Address

Input parameters

Parameter	Description
ADOM Name	(Optional) Specify the ADOM name whose associated IP addresses you want to block in the IPv4 policy of Fortinet FortiManager. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter.
Policy Package Name	Select the policy package name whose associated IP addresses you want to block in the IPv4 policy of Fortinet FortiManager. This parameter makes an API call named "`list_adom_policy_package`" to dynamically populate its dropdown selection.
Policy Package/Folder Path	(Optional) Specify the policy package or folder path of the ADOM IPv4 policy whose associated IP addresses you want to block in Fortinet FortiManager.
IPv4 Policy Name	Name of the IPv4 Policy that you have specified in Fortinet FortiManager for blocking or unblocking IP addresses.
Address Group Name	Name of the IP address group name that you have specified in Fortinet FortiManager for blocking or unblocking IP addresses. For more information, see the Blocking or Unblocking IP addresses in Fortinet FortiManager section.
IP Address	Specify the IP addresses that you want to block using Fortinet FortiManager in the "CSV" or "list" format. For example, `["1.1.1.1", "2.2.2.2"] or "1.1.1.1", "2.2.2.2"`.

Output

The output contains the following populated JSON schema:
{
"already_blocked": [],
"newly_blocked": [],
"error_with_block": []
}

operation: ADOM Level Unblock IP Address

Input parameters

Parameter	Description
ADOM Name	(Optional) Specify the ADOM name whose associated IP addresses you want to unblock in the IPv4 policy of Fortinet FortiManager. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter.
Policy Package Name	Select the policy package name whose associated IP addresses you want to unblock in the IPv4 policy of Fortinet FortiManager. This parameter makes an API call named "`list_adom_policy_package`" to dynamically populate its dropdown selection.
Policy Package/Folder Path	(Optional) Specify the policy package or folder path of the ADOM IPv4 policy whose associated IP addresses you want to unblock in Fortinet FortiManager.
IPv4 Policy Name	Name of the IPv4 Policy that you have specified in Fortinet FortiManager for blocking or unblocking IP addresses.
Address Group Name	Name of the IP address group name, that you have specified in Fortinet FortiManager for blocking or unblocking IP addresses. For more information, see the Blocking or Unblocking IP addresses in Fortinet FortiManager section.
IP Address	Specify the IP addresses that you want to unblock using Fortinet FortiManager in the "CSV" or "list" format. For example, `["1.1.1.1", "2.2.2.2"] or "1.1.1.1", "2.2.2.2"`.

Output

The output contains the following populated JSON schema:
{
"not_exist": [],
"newly_unblocked": [],
"error_with_unblock": []
}

operation: Re-install Policy

Input parameters

Parameter	Description
ADOM Name	(Optional) Specify the ADOM name to which you want to apply the IPv4 policy in Fortinet FortiManager. The ADOM that you specify here will overwrite the ADOM that you have specified in the 'Connector Configuration' as a configuration parameter.
Policy Package Name	Select the policy package name to which you want to apply the IPv4 policy in Fortinet FortiManager. This parameter makes an API call named "`list_adom_policy_package`" to dynamically populate its dropdown selection.
Policy Package/Folder Path	(Optional) Specify the policy package or folder path to apply the IPv4 policy in Fortinet FortiManager.

Output

The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"data": {
"task": ""
},
"status": {
"message": "",
"code": ""
},
"url": ""
}
]
}

operation: List Global Policy Package

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter	Description
Package Name	Specify the name of the global policy package name from which you want to retrieve package details.
Policy Package/Folder Path	Specify the policy package or folder path from which you want to retrieve package details.

Output

The output contains the following populated JSON schema:

operation: List Global IPv4 Policy

Input parameters

Parameter	Description
Policy Package Name	Specify the name of the global IPv4 policy package from which you want to retrieve package details. This parameter makes an API call named "`list_global_policy_pck`" to dynamically populate its dropdown selections.
Policy Package/Folder Path	(Optional) Specify the policy package or folder path from which you want to retrieve package details.
Policy Type	Select the policy type from which you want to retrieve IPv4 policy details.
Policy Name	(Optional) Specify the name of the global IPv4 policy whose details you want to retrieve from Fortinet FortiManager.

Output

operation: Global Level Get Blocked IP Addresses

Input parameters

Parameter	Description
Policy Package Name	Specify the name of the global IPv4 policy whose associated blocked IP addresses you want to retrieve from Fortinet FortiManager. This parameter makes an API call named "`list_global_policy_pck`" to dynamically populate its dropdown selections.
Policy Package/Folder Path	(Optional) Specify the policy package or folder path of the global IPv4 policy whose associated blocked IP addresses you want to retrieve from Fortinet FortiManager.
Policy Type	Select policy type based on which you want to retrieve blocked IP addresses from Fortinet FortiManager.
IPv4 Policy Name	Specify the IPv4 policy name associated with the blocked IP addresses you want to retrieve from Fortinet FortiManager.
Address Group Name	Name of the IP address group name, in the "CSV" or "list" format, that you have specified in Fortinet FortiManager for blocking or unblocking IP addresses. For more information, see the Blocking or Unblocking IP addresses in Fortinet FortiManager section.

Output

operation: Global Level Block IP Address

Input parameters

Parameter	Description
Policy Package Name	Select the policy package whose associated IP addresses you want to block in the global IPv4 policy of Fortinet FortiManager. This parameter makes an API call named "`list_global_policy_pck`" to dynamically populate its dropdown selections.
Policy Package/Folder Path	(Optional) Specify the policy package or folder path of the global IPv4 policy whose associated IP addresses you want to block in Fortinet FortiManager.
Policy Type	Select policy type whose IP addresses you want to block in Fortinet FortiManager.
IPv4 Policy Name	Name of the IPv4 Policy that you have specified in Fortinet FortiManager for blocking or blocking IP addresses.
Address Group Name	Name of the IP address group name, that you have specified in Fortinet FortiManager for blocking or unblocking IP addresses. For more information, see the Blocking or Unblocking IP addresses in Fortinet FortiManager section.
IP Address	IP addresses that you want to block using Fortinet FortiManager in the "CSV" or "list" format.For example, `["1.1.1.1", "2.2.2.2"] or "1.1.1.1", "2.2.2.2"`.

Output

The output contains the following populated JSON schema:
{
"already_blocked": [],
"newly_blocked": [],
"error_with_block": []
}

operation: Global Level Unblock IP Address

Input parameters

Parameter	Description
Policy Package Name	Select the policy package whose associated IP addresses you want to unblock in the global IPv4 policy of Fortinet FortiManager. This parameter makes an API call named "`list_global_policy_pck`" to dynamically populate its dropdown selections.
Policy Package/Folder Path	(Optional) Specify the policy package or folder path of the global IPv4 policy whose associated IP addresses you want to unblock in Fortinet FortiManager.
Policy Type	Select policy type whose IP addresses you want to unblock in Fortinet FortiManager.
IPv4 Policy Name	Name of the IPv4 Policy that you have specified in Fortinet FortiManager for blocking or blocking IP addresses.
Address Group Name	Name of the IP address group name, that you have specified in Fortinet FortiManager for blocking or unblocking IP addresses. For more information, see the Blocking or Unblocking IP addresses in Fortinet FortiManager section.
IP Address	IP addresses that you want to unblock using Fortinet FortiManager in the "CSV" or "list" format.For example, `["1.1.1.1", "2.2.2.2"] or "1.1.1.1", "2.2.2.2"`.

Output

The output contains the following populated JSON schema:
{
"not_exist": [],
"newly_unblocked": [],
"error_with_unblock": []
}

operation: Assign Global Policy Package

Input parameters

Parameter	Description
Policy Package Name	Select the policy package that you want to assign to ADOM devices in the global IPv4 policy of Fortinet FortiManager. This parameter makes an API call named "`list_global_policy_pck`" to dynamically populate its dropdown selections.
Policy Package/Folder Path	Specify the policy package or folder path of the global policy package that you want to assign to ADOM devices in Fortinet FortiManager.
ADOM Devices	Specify one or more destination ADOMs to which you want to assign the selected global policy package. This parameter makes an API call named "`list_global_adom`" to dynamically populate its dropdown selections.

Output

The output contains the following populated JSON schema:
{
"id": "",
"result": [
{
"data": {
"task": ""
},
"status": {
"message": "",
"code": ""
},
"url": ""
}
]
}

Included playbooks

ADOM Level Block IP Address
ADOM Level Get Blocked IP Addresses
ADOM Level Unblock IP Address
Assign Global Policy Package
Create Incident
> FortiManager > Fetch
>> FortiManager > Handle Macro
FortiManager > Ingest
Get Device List
Get Event Details
Get Events
Get Events Related to Incident
Global Level Block IP Address
Global Level Get Blocked IP Addresses
Global Level Unblock IP Address
List ADOM IPv4 Policy
List ADOM Policy Package
List Global IPv4 Policy
List Global Policy Package
List Incident
Re-install Policy
Update Incident

Data Ingestion Support

Configure Data Ingestion

You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming Fortinet FortiManager "Incidents" to FortiSOAR™ "Alerts".

To begin configuring data ingestion, click Configure Data Ingestion on the Fortinet FortiManager connector’s "Configurations" page.
Click Let’s Start by fetching some data, to open the “Fetch Sample Data” screen.

Sample data is required to create a field mapping between Fortinet FortiManager data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
On the Fetch Data screen, provide the configurations required to fetch Fortinet FortiManager data.
Users can choose to pull data from Fortinet FortiManager by specifying the last X minutes in which the incidents have been created or updated in Fortinet FortiManager. You can also specify a query to filter data retrieved from Fortinet FortiManager and can also specify additional parameters such as the category, severity, and status of the incidents to be fetched from Fortinet FortiManager. The fetched data is used to create a mapping between the Fortinet FortiManager data and FortiSOAR™ alerts.

Once you have completed specifying the configurations, click Fetch Data.
On the Field Mapping screen, map the fields of a Fortinet FortiManager incident to the fields of an alert present in FortiSOAR™.
To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the status parameter of a Fortinet FortiManager incident to the state parameter of a FortiSOAR™ alert, click the State field and then click the status field to populate its keys:

For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed mapping the fields, click Save Mapping & Continue.
Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Fortinet FortiManager, so that the content gets pulled from the Fortinet FortiManager integration into FortiSOAR™.
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if you want to pull data from Fortinet FortiManager every 5 minutes, click Every X Minute, and in the minute box enter */5. This would mean that based on the configuration you have set up, data, i.e., incidents will be pulled from Fortinet FortiManager every 5 minutes.

Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.