Integrate a Fortinet FortiGate On-Premises Device

Configure a Fortinet FortiGate on-premises device to pull IOCs from Threat Command.

FortiGate v6.2 or later is supported when using the Threat Command virtual appliance 4.0 or later.

The following table shows device-specific integration characteristics:

CharacteristicDescription
Method of pullAll new IOCs that were discovered since the previous update are pulled.
IOC typesDomains, file hashes (MD5, SHA-1, and SHA-256), and IP addresses.
IOC group limitationEach IOC group can contain only one type of IOC. For multiple types, create multiple IOC groups.
Device IOC limitThe device is limited to 100,000 IOCs.

Imported IOCs are accepted/monitored. You can create a policy to block those IOCs.

To integrate the device, perform these steps (described in the following sections):

  1. Add the device to the Threat Command virtual appliance.
  2. Configure the device to pull IOCs from Threat Command.

Add a Fortinet FortiGate on-premises device

Add a device to Threat Command.

Prerequisites:

  • You have the credentials to access the Threat Command virtual appliance web interface.
  • You have the credentials to access the device.
  • You have administrative credentials to access Threat Command with a subscription to the Automation and TIP modules.

To add the device to Threat Command:

  1. Log in to Threat Command at https://dashboard.ti.insight.rapid7.com -
  2. From the main menu, select Automation -> Integrations.
    temporary placeholder
  3. From the Integrations page, click On-Premises.
  4. Click Add new device.
  5. In the Add New On-Premises Device  dialog, type a user-defined name for the device. 
    The name can contain a maximum of 50 letters, spaces, numbers, and underscores.
  6. Select the Device type.
    The default device IOCs limit is displayed.
  7. (Optional) You can change the IOCs limit.  
  8. Click Add.
  9. To verify that the new device is added, refresh the Automation > Integrations page.

Next to the device name, there is a red dot, indicating that communication has not yet been established. The dot will change to green when the device is synchronized. If the device cannot synchronize for more than 48 hours, an email warning is sent to the account administrator.

Configure a Fortinet FortiGate device to pull IOCs

After a device has been added, you must enable it to pull IOCs from Threat Command.

In FortiGate, you must create a separate fabric connector for each IOC group.

By default, IOCs are accepted/monitored. To block IOCs, you will need to edit the policy,

Prerequisites

  • You have the device login credentials.
  • The device has been added.
  • You have administrative credentials to access Threat Command with a subscription to the Automation and TIP modules.
  • An IOC group for this device exists in Threat Command.
    Creating IOC groups is described in Create an IOC group

To configure a FortiGate on-premises device:

  1. From Threat Command, copy the Fortinet FortiGate IOC group URL into the Fortinet FortiGate:
    1. From the Threat Command main menu, select Automation > Integrations.
    2. From the On-Premises device list, select the Fortinet FortiGate device.
    3. Click the link icon to the far right of the device IOC group.
      temporary placeholder The IOC Group URL dialog is displayed.
    4. From the IOC Group URL dialog, copy the URL. temporary placeholder
  2. Log in to the Fortinet FortiGate.
  3. Navigate to Security Fabric > Fabric Connectors.
  4. Click Create New.
    The New Fabric Connector page is displayed.
  5. In the Threat Feeds section, select a feed option that matches the IOC type in Threat Command IOC group (IP Address, Domain Name, or Malware Hash):
    temporary placeholder The New Fabric Connector dialog is displayed:
    temporary placeholder
  6. In the New Fabric Connector dialog, fill the fields, as follows:
FieldDescription
NameType a user-defined name. This name is used to identify IOCs imported from this group.
URI of external resourcePaste in the URL from the Threat Command IOC Group URL dialog.
HTTP basic authenticationIn the Username field, paste the Threat Command account ID.
In the Password field, paste the Threat Command appliance key.
You can retrieve this information, as described in API key, account ID, and appliance key.
Refresh Rate(Optional) You can change the refresh rate (default: 5 minutes).
CommentsOptional
  1. Click OK.
    The new threat feed is displayed in the Threat Feeds page: temporary placeholder Initially, the arrow is red and pointing downwards. When it is synchronized it is green, pointing up.
    This process is the same for all forms of threat feeds.
  2. Repeat this process for every IOC group to be imported.

See imported IOCs

You can see the IOCs that are imported into FortiGate. The following procedure works the same for all forms of threat feeds.

To see imported IOCs in FortiGate:

  1. From FortiGate, navigate to Security Fabric> Fabric Connectors.
  2. Click a threat feed.
    Its details are displayed.
    temporary placeholder
  3. Click View Entries.
    The imported IOCs are displayed:
    temporary placeholder

Block imported IOCs

By default, imported IOCs are accepted/monitored. You can create a policy to block both incoming and outgoing communication with the IP address IOCs.

To create a policy to block IOCs:

  1. From FortiGate, navigate to Policy & Objects > IPv4 Policy.
  2. Click Create New.
    The Edit Policy dialog is displayed.
    temporary placeholder
  3. To select the threat feed to block, click Destination (step A).
  4. Select the IP address threat feed defined previously (step B).
  5. Select Deny (step C).
  6. Click OK (step D).