FortiGate / FortiOS

FortiManager

FortiAnalyzer

Administration Guide

Getting started
- Onboarding
- Accessing FortiCNAPP
- FortiCNAPP FAQ
- Additional resources
Security Fabric integration
- FortiAnalyzer
- FortiGate
- FortiSIEM
- FortiSOAR
Explorer
- Query builder
- Explorer risk score
- Explorer graph
- Graph examples
- Workflows
- Example workflow: Show all hosts with Log4j vulnerability
Resource inventory
- Using the resource inventory
- Oracle Cloud Infrastructure inventory
Threat Center
Alerts
- Viewing alert details
  - FortiCNAPP AI Assist
- Filtering alerts
- Security Insights FAQ
- AWS Security Hub
  - Amazon GuardDuty
  - AWS built-in package
Activity monitoring
- Cloud Activity Logs
- Kubernetes Activity Logs
Workload security
- Workload security dashboards
  - Hosts
  - Containers
- Agentless workload scanning
- Agent-based workload security
- Host policies
  - Host integrity policies
    - Cloning policies
    - Editing custom policies
Risk Center
Unified risk management
- Creating Explorer policies
- Risk Insights
- Risk Alerts
Risk Visibility
- Attack Path Analysis
- Top Work Items
- Path Investigation
- Supported Attack Paths
- Attack Path Risk Calculation
- Attack Path Secrets Detection
- Attack Path Cloud Feature Comparison
- Attack Path FAQ
- Exposure Polygraph
Compliance
- Cloud compliance
  - Cloud Compliance Dashboard
- Kubernetes compliance
- Posture Policies
Identity Security
- Identities
- Overview
- Top Identity Risks
- Explore
- Use Cases
- Identities FAQ
Vulnerabilities
- Vulnerabilities dashboard
- Host Vulnerabilities
- Container vulnerabilities
- Vulnerability Exceptions
- Vulnerability Policies
  - Container Vulnerability Policies
- FortiCNAPP Risk Score
- Active package detection
- Integrate container registries
- Integrate with Kubernetes Admission Controller
- Integrate FortiCNAPP with Security in Jira
- Integrate with ServiceNow
Code Security
- Overview
  - Code Security support matrix
  - Integration and feature matrix
- Getting started
- Navigating the Infrastructure-as-Code security pages
- Navigating the Application security pages
- Features
- Legacy IaC Security overview
- Frequently asked questions and troubleshooting
DSPM
- Integrating DSPM scanning with your AWS cloud accounts
- Integrating DSPM scanning with your Azure cloud accounts
- DSPM cloud account setup
- Data policies
- Risk center Insights and DSPM
- Explorer and DSPM
- Resource inventory and DSPM
Governance
- Managing queries
- Managing policies
- Platform policies and alerts
- Managing policy frameworks
Administrator guide
- FortiCNAPP console overview
  - Views management
  - Polygraphs
- Dashboard
- Configure alert channels
- Reports
- Authentication configuration
  - FortiCloud integrated authentication
  - Legacy authentication configuration
- Access control and authorization
  - FortiCloud integrated access control
    - Access and permission profiles
  - Legacy access control overview
- Settings
Integration
- AWS integration
- Azure integration
- Google Cloud integration
- OCI integration
- Kubernetes compliance integration
- Terraform for FortiCNAPP
Appendix A - Inbound and outbound connections
Appendix B - AI transparency: FortiCNAPP AI Assist
Appendix C - Customer opt-in for generative AI features

Home FortiCNAPP Administration Guide

Amazon GuardDuty

preview feature The Amazon GuardDuty integration is currently in preview.

Overview

Findings from Amazon's native threat detection service, GuardDuty, expand FortiCNAPP's detection capabilities. FortiCNAPP collects GuardDuty findings through AWS Security Hub, correlates the entities in its graph-based known and unknown threat detection system, and displays relevant GuardDuty findings as Supporting Facts in FortiCNAPP Composite Alerts. This integration automates the evidence-gathering phase of incident investigations, providing security analysts with high-efficacy, low-volume alerts.

Prerequisites

Enable Amazon GuardDuty - Follow the AWS documentation to enable Amazon GuardDuty in your AWS account.
Enable AWS Security Hub - Follow the AWS documentation to enable AWS Security Hub in your AWS account.
A Cloud Security Platform SaaS account.
Ensure that you are deploying the integration to a supported AWS region.

When Amazon GuardDuty and AWS Security Hub are enabled, GuardDuty automatically sends findings to AWS Security Hub.

Amazon GuardDuty Integration Architecture

CloudFormation is used to deploy the Amazon GuardDuty integration. The CloudFormation template creates the following resources:

An EventBridge rule that forwards GuardDuty findings to an SQS queue.
An SQS queue that receives the GuardDuty findings.
A cross-account IAM role that allows FortiCNAPP to access the SQS queue in order to receive the GuardDuty findings.

Security Hub Ingest Arch

Configure the Amazon GuardDuty Integration

In the Console you can either Run the CloudFormation Template or Download the CloudFormation Template.

Run CloudFormation Template - This option requires fewer steps and less user interaction. Disable your browser pop-up blocker.
Download CloudFormation Template - This option requires more user interaction but may be useful if you have multiple accounts with distributed ownership.
Run CloudFormation:

Log in to the Console.
Go to Settings > Integrations > Cloud account.
Click + Add New.
Click Amazon Web Services and select CloudFormation.
Click Next.
Select Security Hub and click Run CloudFormation Template. If you are already logged in to your AWS account, this redirects you to the Create stack page. The template populates the Amazon S3 template URL for you.
No changes are required. Click Next.
Review the Specify stack details page. Resource name prefix is populated with the account name of the first account configured to use FortiCNAPP for AWS Configuration. When adding accounts, you can keep this prefix or enter a different prefix to ensure account uniqueness. Click Next.
No changes are required on the Configure stack options page. Click Next.
Verify the information on the Review page and click Submit.

Download CloudFormation:

Log in to the Console.
Go to Settings > Integrations > Cloud account.
Click + Add New.
Click Amazon Web Services and select CloudFormation.
Click Next.
Select Security Hub and click Download CloudFormation Template.
Log in to your AWS account.
Select the CloudFormation service and click Create stack. The Create stack page displays.
For Template source, click Upload a template file.
Upload the FortiCNAPP template and click Next.
On the Specify stack details page enter a Stack name (for example, FortiCNAPP-Amazon-GuardDuty).
Enter a Resource name prefix such as an account name. Click Next.
No changes are required on the Configure stack options page. Click Next.
Verify the information on the Review page and click Submit.

For more information on selecting a stack template, refer to AWS documentation.

CloudFormation Stack Progress

After clicking Submit, you are redirected back to the CloudFormation page.

If you do not see your new stack in the table, refresh the page. Select your stack to see the event log as it is being created. When the stack is CREATE-COMPLETE, the Amazon GuardDuty integration is complete.

Permissions

The following IAM permissions are required to allow FortiCNAPP to receive GuardDuty findings. These are provisioned as part of the CloudFormation deployment.

Cross-Account IAM Role

  LaceworkSecHubCrossAccountAccessRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub "${ResourceNamePrefix}-Lacework-Sec-Hub-Role"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - sts:AssumeRole
            Principal:
               AWS: !Join
                  - ''
                  - - 'arn:aws:iam::'
                    - !Ref LaceworkAWSAccountId
                    - ':role/Lacework-platform'
            Condition:
              StringEquals:
                sts:ExternalId:
                  !Ref ExternalID
      Path: "/"
      Policies:
        - PolicyName: LaceworkSecHubCrossAccountAccessRolePolicy
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - sqs:ListQueues
                  - sqs:GetQueueAttributes
                  - sqs:GetQueueUrl
                  - sqs:DeleteMessage
                  - sqs:ReceiveMessage
                Resource:
                  - !GetAtt LaceworkSecHubQueue.Arn

FAQs

How do I know if the integration is working?

After configuring the Security Hub integration, the status in FortiCNAPP will show Pending until a new event is generated by Security Hub and delivered to FortiCNAPP. The status will then show Success. If there is an issue, you will see an error message.

Where can I see the GuardDuty findings in FortiCNAPP?

GuardDuty findings are only displayed when they correlate with a composite alert.

AWS Control Tower For AWS Control Tower customers, FortiCNAPP is an AWS Built-in partner and provides a bundled solution with AWS Control Tower, Amazon GuardDuty, and AWS Security Hub. This solution is intended for AWS Control Tower customers that require a seamless and comprehensive security solution for all accounts in their AWS organization. For more information, see the FortiCNAPP AWS Built-in Package.

Amazon GuardDuty

preview feature The Amazon GuardDuty integration is currently in preview.

Overview

Prerequisites

Enable Amazon GuardDuty - Follow the AWS documentation to enable Amazon GuardDuty in your AWS account.
Enable AWS Security Hub - Follow the AWS documentation to enable AWS Security Hub in your AWS account.
A Cloud Security Platform SaaS account.
Ensure that you are deploying the integration to a supported AWS region.

When Amazon GuardDuty and AWS Security Hub are enabled, GuardDuty automatically sends findings to AWS Security Hub.

Amazon GuardDuty Integration Architecture

CloudFormation is used to deploy the Amazon GuardDuty integration. The CloudFormation template creates the following resources:

An EventBridge rule that forwards GuardDuty findings to an SQS queue.
An SQS queue that receives the GuardDuty findings.
A cross-account IAM role that allows FortiCNAPP to access the SQS queue in order to receive the GuardDuty findings.

Security Hub Ingest Arch

Configure the Amazon GuardDuty Integration

In the Console you can either Run the CloudFormation Template or Download the CloudFormation Template.

Run CloudFormation Template - This option requires fewer steps and less user interaction. Disable your browser pop-up blocker.
Download CloudFormation Template - This option requires more user interaction but may be useful if you have multiple accounts with distributed ownership.
Run CloudFormation:

Log in to the Console.
Go to Settings > Integrations > Cloud account.
Click + Add New.
Click Amazon Web Services and select CloudFormation.
Click Next.
Select Security Hub and click Run CloudFormation Template. If you are already logged in to your AWS account, this redirects you to the Create stack page. The template populates the Amazon S3 template URL for you.
No changes are required. Click Next.
Review the Specify stack details page. Resource name prefix is populated with the account name of the first account configured to use FortiCNAPP for AWS Configuration. When adding accounts, you can keep this prefix or enter a different prefix to ensure account uniqueness. Click Next.
No changes are required on the Configure stack options page. Click Next.
Verify the information on the Review page and click Submit.

Download CloudFormation:

Log in to the Console.
Go to Settings > Integrations > Cloud account.
Click + Add New.
Click Amazon Web Services and select CloudFormation.
Click Next.
Select Security Hub and click Download CloudFormation Template.
Log in to your AWS account.
Select the CloudFormation service and click Create stack. The Create stack page displays.
For Template source, click Upload a template file.
Upload the FortiCNAPP template and click Next.
On the Specify stack details page enter a Stack name (for example, FortiCNAPP-Amazon-GuardDuty).
Enter a Resource name prefix such as an account name. Click Next.
No changes are required on the Configure stack options page. Click Next.
Verify the information on the Review page and click Submit.

For more information on selecting a stack template, refer to AWS documentation.

CloudFormation Stack Progress

After clicking Submit, you are redirected back to the CloudFormation page.

Permissions

The following IAM permissions are required to allow FortiCNAPP to receive GuardDuty findings. These are provisioned as part of the CloudFormation deployment.

Cross-Account IAM Role

  LaceworkSecHubCrossAccountAccessRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub "${ResourceNamePrefix}-Lacework-Sec-Hub-Role"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - sts:AssumeRole
            Principal:
               AWS: !Join
                  - ''
                  - - 'arn:aws:iam::'
                    - !Ref LaceworkAWSAccountId
                    - ':role/Lacework-platform'
            Condition:
              StringEquals:
                sts:ExternalId:
                  !Ref ExternalID
      Path: "/"
      Policies:
        - PolicyName: LaceworkSecHubCrossAccountAccessRolePolicy
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - sqs:ListQueues
                  - sqs:GetQueueAttributes
                  - sqs:GetQueueUrl
                  - sqs:DeleteMessage
                  - sqs:ReceiveMessage
                Resource:
                  - !GetAtt LaceworkSecHubQueue.Arn

FAQs

How do I know if the integration is working?

Where can I see the GuardDuty findings in FortiCNAPP?

GuardDuty findings are only displayed when they correlate with a composite alert.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

Web Application / API Protection

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

All Products

Administration Guide

Amazon GuardDuty

Amazon GuardDuty

Overview

Prerequisites

Amazon GuardDuty Integration Architecture

Configure the Amazon GuardDuty Integration

Run CloudFormation:

Download CloudFormation:

CloudFormation Stack Progress

Permissions

Cross-Account IAM Role