Incident Management - FortiGate Action


This document explains how to block an address in FortiGate firewall manually using Logsign.

By following the steps in this document, you will be able to block an address in FortiGate firewall with Logsign, which you want to take action on in the incidents module.



FortiGate firewall is a firewall product that provides next-generation firewall (NGFW) services. The API support allows us to perform block/unblock operations in the firewall source with Logsign.

Logsign alarm communicates through the API protocol when a manual block/unblock operation is desired either through automation triggered by correlation or from the incident module, and the blocking process is provided.

For more information, you can refer to the following guide.

Using APIs | FortiGate

When an alarm triggered in a case, a case is created or your existing case is updated, and you can manually perform address blocking with this case opened.

For more information, you can refer to the following article.

Incident Management and Response



- FortiGate Responses Integration

- License - Incident Module

- An open case


FortiGate Action

1-All events occurring in the system can be accessed from the "Events" tab on the Logsign web interface. Under the Events tab, the number of events, priority, risk score, status, owner, and category can be tracked, and analysis can be performed, and the action module can be used.



2-Clicking on an event will open the event card screen.


By clicking on the "More" button, you can access all the detailed information about the event.

In the event detail screen, Action Object, risk score value, structure, and asset information can be viewed. In addition, the number of times the event was triggered and previous responses can be tracked.

3-NIST Intervention Stages related to the events can be tracked from the top right, and the intervention feature can be used with a single click using the "Action Button" in the bottom right corner.



4-After selecting the response source that will perform the blocking operation, the required information is filled in as shown below, and the process is completed by clicking the Submit button.



We can define the time for the block process with the Expire Time. A maximum of 48 hours of blocking can be done in this field.

You can easily unblock or additionally control the unblocking process as shown below.




Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more
Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.