FortiGate / FortiOS

FortiManager

FortiAnalyzer

Administration Guide

Getting started
- Onboarding
- Accessing FortiCNAPP
- FortiCNAPP FAQ
- Additional resources
Security Fabric integration
- FortiAnalyzer
- FortiGate
- FortiSIEM
- FortiSOAR
Explorer
- Query builder
- Explorer risk score
- Explorer graph
- Graph examples
- Workflows
- Example workflow: Show all hosts with Log4j vulnerability
Resource inventory
- Using the resource inventory
- Oracle Cloud Infrastructure inventory
Threat Center
Alerts
- Viewing alert details
  - FortiCNAPP AI Assist
- Filtering alerts
- Security Insights FAQ
- AWS Security Hub
  - Amazon GuardDuty
  - AWS built-in package
Activity monitoring
- Cloud Activity Logs
- Kubernetes Activity Logs
Workload security
- Workload security dashboards
  - Hosts
  - Containers
- Agentless workload scanning
- Agent-based workload security
- Host policies
  - Host integrity policies
    - Cloning policies
    - Editing custom policies
Risk Center
Unified risk management
- Creating Explorer policies
- Risk Insights
- Risk Alerts
Risk Visibility
- Attack Path Analysis
- Top Work Items
- Path Investigation
- Supported Attack Paths
- Attack Path Risk Calculation
- Attack Path Secrets Detection
- Attack Path Cloud Feature Comparison
- Attack Path FAQ
- Exposure Polygraph
Compliance
- Cloud compliance
  - Cloud Compliance Dashboard
- Kubernetes compliance
- Posture Policies
Identity Security
- Identities
- Overview
- Top Identity Risks
- Explore
- Use Cases
- Identities FAQ
Vulnerabilities
- Vulnerabilities dashboard
- Host Vulnerabilities
- Container vulnerabilities
- Vulnerability Exceptions
- Vulnerability Policies
  - Container Vulnerability Policies
- FortiCNAPP Risk Score
- Active package detection
- Integrate container registries
- Integrate with Kubernetes Admission Controller
- Integrate FortiCNAPP with Security in Jira
- Integrate with ServiceNow
Code Security
- Overview
  - Code Security support matrix
  - Integration and feature matrix
- Getting started
- Navigating the Infrastructure-as-Code security pages
- Navigating the Application security pages
- Features
- Legacy IaC Security overview
- Frequently asked questions and troubleshooting
DSPM
- Integrating DSPM scanning with your AWS cloud accounts
- Integrating DSPM scanning with your Azure cloud accounts
- DSPM cloud account setup
- Data policies
- Risk center Insights and DSPM
- Explorer and DSPM
- Resource inventory and DSPM
Governance
- Managing queries
- Managing policies
- Platform policies and alerts
- Managing policy frameworks
Administrator guide
- FortiCNAPP console overview
  - Views management
  - Polygraphs
- Dashboard
- Configure alert channels
- Reports
- Authentication configuration
  - FortiCloud integrated authentication
  - Legacy authentication configuration
- Access control and authorization
  - FortiCloud integrated access control
    - Access and permission profiles
  - Legacy access control overview
- Settings
Integration
- AWS integration
- Azure integration
- Google Cloud integration
- OCI integration
- Kubernetes compliance integration
- Terraform for FortiCNAPP
Appendix A - Inbound and outbound connections
Appendix B - AI transparency: FortiCNAPP AI Assist
Appendix C - Customer opt-in for generative AI features

Home FortiCNAPP Administration Guide

Integrate Azure Identity

Integrate FortiCNAPP with Azure Identity to gain unified visibility and deeper insights into your identity security and enhance other capabilities such as attack path analysis, threat alerts, and resource inventory.

Requirements

To take full advantage of FortiCNAPP identity management capabilities, enable the following:

(Required) Azure Configuration integration: Allows analysis of the identity configuration.
To take full advantage of identity management capabilities, we recommend creating a configuration integration with your Azure organization management account (using your preferred method: Manual or Terraform) so that we can analyze policies and Entra ID data.
To learn more about Azure organizations, tenants, and subscriptions, refer to Subscriptions, licenses, accounts, and tenants for Microsoft's cloud offerings.
(Recommended) Azure Activity Log integration: Lets FortiCNAPP determine what entitlements are used and other risks based on usage, such as dormant users, dormant access keys, and more.
(Recommended) Azure agentless workload scanning: Allows detection of hardcoded access keys belonging to identities.

Supported features

The following features are available when Azure identity integration is configured:

Cloud provider filter option for Azure on all identity pages.
New Azure-based Overview charts and Identity Explorer Overview page.
Top Identity Risks page for Azure identities.
Identity entitlement-based risks for Entra users, groups, and service principals.
Identity summary screens for Entra users, groups, and service principals.
Entitlements screen for users, groups, and service principals.
Linked identities screen for users, groups, and service principals.
Exceptions screen for Azure risk properties.
Support for net effective permissions:
- Direct role assignment based permissions.
- 1-hop permissions via group membership.
- Deny Assignments.
- Permission inheritance (child resources inherit parent resource permissions).
Support for remediations.
Excessive privileges analysis.

Integrate Azure Identity

Requirements

To take full advantage of FortiCNAPP identity management capabilities, enable the following:

(Required) Azure Configuration integration: Allows analysis of the identity configuration.
To take full advantage of identity management capabilities, we recommend creating a configuration integration with your Azure organization management account (using your preferred method: Manual or Terraform) so that we can analyze policies and Entra ID data.
To learn more about Azure organizations, tenants, and subscriptions, refer to Subscriptions, licenses, accounts, and tenants for Microsoft's cloud offerings.
(Recommended) Azure Activity Log integration: Lets FortiCNAPP determine what entitlements are used and other risks based on usage, such as dormant users, dormant access keys, and more.
(Recommended) Azure agentless workload scanning: Allows detection of hardcoded access keys belonging to identities.

Supported features

The following features are available when Azure identity integration is configured:

Cloud provider filter option for Azure on all identity pages.
New Azure-based Overview charts and Identity Explorer Overview page.
Top Identity Risks page for Azure identities.
Identity entitlement-based risks for Entra users, groups, and service principals.
Identity summary screens for Entra users, groups, and service principals.
Entitlements screen for users, groups, and service principals.
Linked identities screen for users, groups, and service principals.
Exceptions screen for Azure risk properties.
Support for net effective permissions:
- Direct role assignment based permissions.
- 1-hop permissions via group membership.
- Deny Assignments.
- Permission inheritance (child resources inherit parent resource permissions).
Support for remediations.
Excessive privileges analysis.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

Web Application / API Protection

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

All Products

Administration Guide

Integrate Azure Identity

Integrate Azure Identity

Requirements

Supported features

Integrate Azure Identity

Integrate Azure Identity

Requirements

Supported features