Fortinet Fortigate Ransomware NGFW Host Isolation Integration

Home Top

• Overview
• Support Statement
• Limitations
• Solution Overview
• What is FortiGate?
• Integration Architecture
• Solution Configuration in FortiGate and Defender Zero Trust
• Prerequisites
• Features
• Configuration in FortiGate
• Configuration Steps on Eyeglass Virtual Machine
• High Level steps​
• Configuration Step by Step
• Configure Defender Zero Trust Webhooks
• How to test the Integration with FortiGate
• FortiGate SecOps administrators Integration Experience

 

Overview

Customers using FortiGate can leverage this integration to issue ip ban using  Incoming Webhook Quarantine  feature.  This ensures a comprimised host cannot continue to attack other infrastructure after a data layer lockout by Data Security Edition.

Support Statement

1. NOTE:  This documentation is provided "as is" without support for 3rd party software.  The level of support for this integration guide is best effort without any SLA on response time.  No 3rd party product support can be provided by Superna directly.  3rd party components require support contracts

Limitations

1. Does not lookup endpoint ID to set client ip to endpoint id or end user id to set the end user id.  These entities would need to already exist or be created 

Solution Overview

Superna Data Security Edition  Zero Trust API is the cornerstone technology used to integrate with SIEM and SOAR platforms.    This integration offers storage threat responses to cascade to Fortinet FortiGate to isolate hosts and protect the infrastructure.  By cascading storage protection with network firewall protection and lower the response time to contain a ransomware threat translates to better cyber resilience. 

What is FortiGate?

FortiGate is a Next-Generation Firewall (NGFW) developed by Fortinet. It acts as a comprehensive security and networking gateway that protects organizational networks from cyberthreats while routing and optimizing internet traffic.

Integration Architecture

Solution Configuration in FortiGate and Defender Zero Trust

Prerequisites

1. Installed Data Security Edition subscription product
2. Eyeglass OS appliance version 15.5
   1. cat /etc/os-release
3. License key for the Zero Trust API  
4. FortiGate on premise

Features

1. Sends native Incident api calls and severity mapped from Superna to FortiGate
2. Supports Webhook API key integration with Webhook Automations

Configuration in FortiGate

1. Login to the console
   1. This guide will be followed to create an api key and enable the webhook Quarantine ip ban policy.
   2. Create an API Key and admin profle
   3. 
   4. 
   5. Save the API key for the integration installation.
2. Enable the Webhook
   1.  
   2. Edit the automation switch and switch the action to IP Ban
   3. 
   4. Enter the api key into the webhook configuration by editing the Incoming Webhook Call 
   5. 
   6. Save the configuration
   7. Done
3. Add the quarantine widget to the dashboard
   1.  

                           

Configuration Steps on Eyeglass Virtual Machine

High Level steps​ 

1. Download the Feature pak from the Superna Support site
2. Copy the run file to the vm with winscp or other tool supporting scp
3. login over ssh and chmod 777 <feature pak filename>.run
4. Execute the run file ./<filename>.run
5. in the Text User Input enter
   1. FortiGate ip address or hostname
   2. API key created in the above steps
   3. Severity of event to trigger an IP Ban, default is Critical

Configuration Step by Step

1. Login to the eyeglass VM as admin user
2. Follow the steps below
3. From the support site download the integration run file
4. scp or winscp copy the integration file to the eyeglass vm
5. Login as admin over ssh
6. sudo -s #enter admin password)
7. chmod 777 /path to run file
8. ./<integrationname>.run
9. Input the configuration values into the TUI (Text User Interface)
10. Press V to validate the inputs
11. Press I to install
12. The installation process should complete, review any errors for support.   The last question asks to start the service answer yes
13. Complete

Configure Defender Zero Trust Webhooks

1. The next step creates an Zero Trust Webhook URL.    
   
   1. Configure Zero Trust endpoint in Ransomware Defender Zero Trust tab.
      1. Recommended Configuration: Only Critical and Major events and only the webhooks that set lockout or delayed lockout.   Customers can customize based on specific requirements. The goal is to send findings versus a list of alarms that do not pinpoint a security incident.    
2. Test the configuration is working following the next section

How to test the Integration with FortiGate

1. To test the integration follow these steps
   1. Using 2.14 or later use the test webhook button, you may need to edit the default payload to send a critical event type.
   2. Configure the ip address of a test ip to ban, note this will ban the IP address
   3. Click test button and verify in the FortiGate Console Quarantine widget 

FortiGate SecOps administrators Integration Experience

1. 
   
2. 
   

© Superna Inc