Fortinet FortiGate Ransomware NGFW Host Isolation Integration
Support Statement
This documentation is provided "as is" without support for 3rd party software. The level of support for this integration guide is best effort without any SLA on response time. No 3rd party product support can be provided by Superna directly. 3rd party components require support contracts. See EULA for more details.
Overview
Customers using FortiGate can leverage this integration to issue IP bans using the Incoming Webhook Quarantine feature. This ensures a compromised host cannot continue to attack other infrastructure after a data layer lockout by Data Security Edition.
Limitations
- Does not look up the endpoint ID to map to the client IP or end user ID. These entities must already exist or be created in FortiGate.
Solution Overview
Superna Data Security Edition Zero Trust API is the cornerstone technology used to integrate with SIEM and SOAR platforms. This integration cascades storage threat responses to Fortinet FortiGate to isolate hosts and protect infrastructure. By combining storage protection with network firewall protection, this integration reduces the response time to contain a ransomware threat and improves cyber resilience.
What Is FortiGate?
FortiGate is a Next-Generation Firewall (NGFW) developed by Fortinet. It acts as a comprehensive security and networking gateway that protects organizational networks from cyberthreats while routing and optimizing internet traffic.
Integration Architecture
Solution Configuration in FortiGate and Defender Zero Trust
Prerequisites
- Installed Data Security Edition subscription product
- Eyeglass OS appliance version 15.5 — verify with
cat /etc/os-release - License key for the Zero Trust API
- FortiGate on-premises
Features
- Sends native Incident API calls with severity mapping from Superna to FortiGate
- Supports Webhook API key integration with Webhook Automations
Configuration in FortiGate
- Log in to the FortiGate console.
- Follow the Incoming Webhook Quarantine stitch guide to create an API key and enable the webhook quarantine IP ban policy.
- Create an API key and admin profile with the appropriate permissions.
- In the FortiGate Automation configuration for the webhook quarantine stitch, edit the automation switch and change the action to IP Ban.
Configuration Steps on Eyeglass Virtual Machine
High-Level Steps
- Configure FortiGate webhook settings.
- Configure Defender Zero Trust Webhooks.
- Test the integration with FortiGate.
Install the Integration
-
From the Superna support site, download the integration
.runfile. -
Copy the file to the Eyeglass VM using SCP or WinSCP.
-
Log in to the Eyeglass VM as admin over SSH.
-
Run the following commands:
sudo -s
chmod 777 /path/to/integration.run
./integration.run -
The installer launches an interactive Text User Interface (TUI). Enter your FortiGate API key and connection details.
-
Press V to validate the inputs.
-
Press I to install.
-
Review any errors. When prompted to start the service, answer Yes.
Configure Defender Zero Trust Webhooks
-
Configure the Zero Trust endpoint in the Ransomware Defender Zero Trust tab.
Recommended ConfigurationSend only Critical and Major events, and only webhooks that set lockout or delayed lockout. The goal is to send findings rather than a list of alarms that do not pinpoint a security incident. Customers can customize based on specific requirements.
-
The endpoint URL uses localhost and sends webhooks to the application service listening on port 5000:
http://localhost:5000/webhook -
Add the Content-Type header with value application/json to complete the webhook configuration.
-
Click Save to commit the configuration.
-
Click Save on the main Webhook configuration page.
How to Test the Integration with FortiGate
- Download the curl command template and open it with a text editor.
- Copy all the text.
- SSH to the Eyeglass VM as the admin user.
- Paste the entire CLI command to the SSH prompt to send sample data to the running Zero Trust application. This sends test data directly to the application to be processed and sent to FortiGate.
- Verify that the targeted host's IP address is added to the IP ban list in the FortiGate console.
FortiGate SecOps Administrators Integration Experience
Once the integration is complete, SecOps administrators can view IP ban events in the FortiGate console. Compromised host IP addresses are quarantined automatically when Superna Data Security Edition detects a critical threat at the storage layer.