- Overview
- Deploy Custom Connector + Function App + 3 Playbook templates
- Authentication
- Prerequisites
- Deployment
- Post Deployment Steps
- Limitations
FortiGate, a next-generation firewall from IT Cyber Security leaders Fortinet, provides the ultimate threat protection for businesses of all sizes. This integration is built over the FortiOS REST API which allows you to perform configuration and monitoring operations on a FortiGate appliance or VM.
This package includes:
- Custom connector
- Function App
- Three playbook templates leverage fortinet custom connector and Function App:
The Azure Function handles the Get calls on FortiOS API in the playbook templates. These calls are not part of the custom connector due to platform limitations.
You can choose to deploy the whole package: connector + Function App + all three playbook templates, or each one seperately from it's specific folder.
Authentication methods this connector supports- API Key authentication
- Function app must deploy before deploying consloidated template
- Fortinet end point should be known. Fortinet Console
- Generate an API key (learn how).
- Create the key vaults and capture secret identifier
- Create the managed identity and capture name Create user assigned manage identity
- Deploy the Custom Connector and playbooks by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
- Fill in the required parameters for deploying custom connector and playbooks
| Parameter | Description |
|---|---|
| Endpoint URL | Enter the Fortinet end point (e.g. https://{FortnetTrafficManager}) |
| Secret identifier | Enter the Secret identifier which is captured in key vaults secret |
| Fortinet-ResponseOnIP Playbook Name | Enter the playbook name here for ResponseOnIP playbook (e.g. Fortinet-ResponseOnIP) |
| Fortinet-ResponseOnUrl Playbook Name | Enter the playbook name here for ResponseOnURL (e.g. Fortinet-ResponseOnUrl) |
| Fortinet-Enrichment Playbook Name | Enter the playbook name here for Enrichment (e.g. Fortinet-Enrichment) |
| Teams GroupId | Enter the Teams channel id to send the adaptive card |
| Teams ChannelId | Enter the Teams Group id to send the adaptive card Refer the below link to get the channel id and group id |
| Function app name | Enter the Function app name which you created as prerequisites |
| User identifier name | Enter the User identifier name which you created for the Managed Identity Create user assigned manage identity |
Once deployment is complete, you will need to authorize each connection.
- Click the Azure Sentinel connection resource
- Click edit API connection
- Click Authorize
- Sign in
- Click Save
- Repeat steps for other connections such as Teams connection and Fortinet connector API Connection (For authorizing the fortinet connector API connection, API Key needs to be provided.) and API virustotal connection (URL:https://www.virustotal.com/gui/)
- Open each playbook go to logic app designer-->click on each function call action in the logic app and go to "Managed identity" dropdown and select user identity and save playbook.
- Go to sentinel hook playbook to azure sentinel rules.
- In Azure sentinel analytical rules should be configured to trigger an incident with risky user account.
- Configure the automation rules to trigger the playbooks.
- When pre-defined group reaches the max limit user must create the new pre-defined group and change in the playbook