Integrate a Fortinet FortiManager On-Premises Device

Configure a Fortinet FortiManager on-premises device.

The following table shows device-specific integration characteristics:

Method of pushAll new IOCs that were discovered since the previous update are pushed to the device.
IOC types supportedDomains, IP addresses, and URLs.
IOC group limitationAll IOC types can be pulled in the same group.
Device IOC limitThe device is limited to 300,000 IOCs.

Device-specific integration characteristics table

IOCs are pushed from Threat Command to the device.

To integrate the device, perform these steps (described in the following sections):

  1. Add the device to Threat Command with the virtual appliance web interface.
  2. Configure an IOC group whose IOCs will be pushed to the device.

Add a Fortinet FortiManager on-premises device

Use the Threat Command virtual appliance to integrate the device with Threat Command.


  • You have administrative credentials to access Threat Command with a subscription to the Automation and TIP modules.
  • You have the credentials to access the Threat Command virtual appliance web interface.
  • You have the administrative credentials to access the device management console.
  • All managed FortiGate firewalls are configured with the inspection engine in 'Proxy' mode.
  • 'Flow' mode is not supported for this integration due to limitations in FortiGate Firewall.
  • You know whether you want to push IOCs to the FortiManager Root ADOM or the Global Database ADOM.

To integrate a FortiManager device:

  1. From an internet browser, navigate to https://<virtual appliance IP address>
  2. Log in to the Threat Command virtual appliance using the web access username and password.
  3. From the Devices page, click Devices.
  4. Click Add new device.
  5. In the Devicesscreen, set up the new device:
    1. Type a user-defined, unique device name (for example, FortiDemo).
    2. Select the FortiManager  device type. 
      temporary placeholder 
    3. Type values for User and Password
      These should be the same values used to access the FortiManager web management console.
    4. Type the URL or IP address of the FortiManager machine.
    5. Select the FortiManager Workspace Mode:
      • To push IOCs to the root ADOM, do not select Workspace Mode (default).
      • To push IOCs to the Global Database ADOM, select Workspace Mode.
    6. (Optional) You can test the connection by clicking Test connection.
    7. Click Create.
    8. Review and approve messages.
  6. Verify that the new device is displayed in Threat Command:
    1. Log in to Threat Command at
    2. From the main menu, selectAutomation > Integrations
      If this window is already open, refresh it by selecting Automation > Integrations  from the menu. 
      The new device is displayed in the On-Premises tab.

The following figure shows a newly added device in the  Automation > Integrations window:  temporary placeholder

Configure an IOC group to push IOCs to the device

Once the FortiManager device has been added and is synching with the Threat Command virtual appliance, it is ready to receive IOCs that are pushed from Threat Command. IOCs are pushed by creating an IOC group for this device in Threat Command.

When creating IOC groups, you can choose whether the matched IOCs should be monitored or blocked in the FortiManager device. This choice is transmitted to the device, together with the IOC identification.

Create the IOC group, as described in Create an IOC group.

Verify that IOCs are being pushed to the device

You can verify that IOCs are being pushed to the FortiManager device.

To verify IOCs:

  1. From the Threat Command main menu, select Automation > Integrations.
  2. Select the device.
  3. On an IOC group of the device, click the Information icon:
    temporary placeholder
    The IOCs in the group are displayed:
    temporary placeholder
  4. In the FortiManager management console, select Policy & Objects > Object Configurations > Security Profiles > Web Filter.
    Threat Command IOCs are displayed in the User-Defined section under the following name format (in lower case):
    <DeviceName_IOCGroupName> for example, fortidemo_forti_iocs temporary placeholder
    Ensure that you are in the correct ADOM.
    Double-click the IOCs listing to see the IOCs:
    temporary placeholder
    Note that the "monitor" action was passed from Threat Command.