Technical Tip: How to configure remediation toward FortiGate using REST API in FortiSIEM

vschmitt_FTNT · ‎03-19-2024

Description

This article describes how to configure remediation using FortiGate REST API scripts for a device in the case of an incident.
The remediation script to be used is: 'Block Source IP FortiOS 7.x via FortiOS API' but remediation will use the HTTPS access protocol and NOT the FORTIOS_REST_API access protocol.

Scope

FortiSIEM, FortiGate.

Solution

To create a REST API Token on FortiGate, see the following documentation: Connect Fortigate Device via API Token.

Step 1: Configure Credentials for FortiGate to be used for remediation. Follow these steps:

Go to Admin -> Setup.
Under Credentials / Step 1: Enter Credentials and select New.
The Access Method Definition should look like the following:

Name: <credentials_name>
Device Type: Fortinet FortiOS.
Access Protocol: HTTPS.
Note: Do not choose FORTIOS_REST_API, as it will not work with a remediation script.
Port: 443.
URI: https://<fortigate_ip>/api/v2/authentication.
User Name: <choose an admin name>.
Password: <REST API User access token>.
Note: The REST API User access token is not related to the 'User Name' field.

access method definition

Step 2: Create credential associations.
Still under the Admin/Setup window:

Under Credentials / Step 2: Enter the IP Range to Credential Associations and select New.
Enter the IP/Hostname of the FortiGate.
For Credentials, select the credential created in Step 1.

Test the credentials:

Testing:

Go to Incidents and choose an Incident to remediate.
Select Actions -> Remediate Incident.
Select the remediation script: 'Fortinet FortiOS - Block Source IP FortiOS 7.x via FortiOS API'.
The protocol to be used is HTTPS and cannot be changed
Select Run On: Super/Collector.

remediation

Select Run and check if the remediation has been applied.