FortiGate Firewall Responses Integration

 

Introduction

In this document, the integration processes of Logsign and FortiGate Firewall Responses will be explained.

When the procedures in this document are applied; You can provide block/unblock operations with firewall in action rules or incident management.

 

Qualification

FortiGate firewall product has API support, integration process is provided by API.

 

1.png

As explained in the diagram above, when an alarm with action rules defined for critical security vulnerabilities is triggered, logsign detects it and connects to Fortigate via API protocol. The IP address to be blocked is added as a member to the address group defined in the FortiGate product.

Note: Do not forget that you need to create a rule as Drop or Deny in Address Group in Firewall Policy in order to block.

 

2.png

 

Requirements

 - FortiGate LocalUser User
 - FortiGate Addresses - Address Group
 - Logsign 6.3.17+
 - FortiGate V5+
 - Firewall permission;

        -  Logsign IPs -> FortiGate IP -> 443 (api port) must be allowed.

 

Integration

FortiGate Configuration

In order for Logsign and FortiGate Firewall to log in with the API and add as a member to the address group to be defined, a local user with limited privileges must be created and the process must be completed with a restricted profile.

 

1- The process of creating Admin Group Profiles to assign to the user to be created

3.png

4.png

 

Address - Read/Write authorization is granted only to access and add members to the address group.

5.png

2-> Create User, System -> Administrators -> Create New

6.png

7.png

8.png

 

You need to define logsign siem ip addresses to Restrict login to trusted hosts, user access created with this definition will only need to be done with this ip address.

9.png

 

3-> Address Group is created.

10.png

 

The process of adding the IP addresses that we want Logsign to block as a member into the address group is provided. If you want to separate blocking operations based on rules in multiple scenarios, you can create more than one address group in this section.

Example: You can make a separate address group and firewall policy for dos attack alarms, or a destination block address group to prevent access to a malicious domain.

 

11.png

 

4-> Required definitions should be made by selecting "New Policy" from the Firewall Policy section.

Note: The following policy is given as an example.

Screenshot 2024-02-20 at 10.01.57.png

This is how the blocking of traffic from outside to inside is handled, with Incoming: WAN, Outgoing: LAN.

Logsign Responses Configuration

1-  A user with admin authority must log in to logsign;

Settings -> Responses -> Configure ;

12.png

13.png

14.png

 

Finally, click the create button to complete the process.

 

Was this article helpful?
1 out of 1 found this helpful

Articles in this section

See more
Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.