Introduction
In this document, the integration processes of Logsign and FortiGate Firewall Responses will be explained.
When the procedures in this document are applied; You can provide block/unblock operations with firewall in action rules or incident management.
Qualification
FortiGate firewall product has API support, integration process is provided by API.
As explained in the diagram above, when an alarm with action rules defined for critical security vulnerabilities is triggered, logsign detects it and connects to Fortigate via API protocol. The IP address to be blocked is added as a member to the address group defined in the FortiGate product.
Note: Do not forget that you need to create a rule as Drop or Deny in Address Group in Firewall Policy in order to block.
Requirements
- FortiGate LocalUser User
- FortiGate Addresses - Address Group
- Logsign 6.3.17+
- FortiGate V5+
- Firewall permission;
- Logsign IPs -> FortiGate IP -> 443 (api port) must be allowed.
Integration
FortiGate Configuration
In order for Logsign and FortiGate Firewall to log in with the API and add as a member to the address group to be defined, a local user with limited privileges must be created and the process must be completed with a restricted profile.
1- The process of creating Admin Group Profiles to assign to the user to be created
Address - Read/Write authorization is granted only to access and add members to the address group.
2-> Create User, System -> Administrators -> Create New
You need to define logsign siem ip addresses to Restrict login to trusted hosts, user access created with this definition will only need to be done with this ip address.
3-> Address Group is created.
The process of adding the IP addresses that we want Logsign to block as a member into the address group is provided. If you want to separate blocking operations based on rules in multiple scenarios, you can create more than one address group in this section.
Example: You can make a separate address group and firewall policy for dos attack alarms, or a destination block address group to prevent access to a malicious domain.
4-> Required definitions should be made by selecting "New Policy" from the Firewall Policy section.
Note: The following policy is given as an example.
This is how the blocking of traffic from outside to inside is handled, with Incoming: WAN, Outgoing: LAN.
Logsign Responses Configuration
1- A user with admin authority must log in to logsign;
Settings -> Responses -> Configure ;
Finally, click the create button to complete the process.