Fortinet black logo

Administration Guide

Home FortiNDR 7.0.0 Administration Guide
7.0.0
7.4.3
7.4.2
7.4.1
7.4.0
7.2.3
7.2.2
7.2.1
7.2.0
7.1.0
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0

FortiGate quarantine webhook setup example

FortiGate quarantine webhook setup example

To create an automation profile for FortiGate Quarantine (Formerly Ban IP action) or FortiSwitch Quarantine via FortiLink, the incoming webhook needs to be setup on FortiGate to accept requests from FortiNDR. You can register them in Security Fabric > Automation Framework.

The following example shows you how to set up webhooks for FortiGate Quarantine to quarantine infected hosts through FortiGate.

To set up a webhook for Ban IP:
  1. In FortiGate, go to System > Admin Profiles and create a profile, for example, ipblocker_test and set the following Access Permissions.
    Tooltip

    Ensure the selected Administrator profile has sufficient privileges to execute CLI scripts.

  2. In FortiGate, go to System > Administrators and create a REST API Admin using the ipblocker_test admin profile.

  3. Select the Virtual Domains to be associated with the generated API key.

    You can also restrict access to FortiNDR by setting up Trusted Hosts for the API profile.

  4. Save the generated New API key as you need that to register the automation profile in FortiNDR.

  5. In FortiGate, go to Security Fabric > Automation and create an Automation Stitch for Ban IP actions.

    Select Incoming Webhook and enter a Name to be used to register the automation profile.

  6. In the New Automation StitchCLI Script section, enter the following script. Substitute root with a VDOM.
    config vdom  
edit root
diagnose user quarantine add src4 %%log.srcip%% %%log.expiry%% admin

    This example requires two webhooks, one that executes the Ban IP action (this ip_blocker example). Another webhook executes the unban IP action.

    Tooltip

    We recommend maintaining a consistent naming pattern for the Stitch and Trigger names. For example, ip_blocker and ip_unblocker.

  7. Repeat the above step to create a webhook to execute the unban IP action, for example, ip_unblocker.

    In the New Automation StitchCLI Script section, enter the following script for the unban IP action. Substitute root with a VDOM.

    config vdom  
edit root
diagnose user quarantine delete src4 %%log.srcip%%

    FortiOS v6.4:

    FortiOS v7.0.1

    Note

    For the CLI script example, config vdom edit root is not needed when FortiGate disabled VDOM mode.

  8. Register the Webhook name in the Automation Profile.

Previous
Next

FortiGate quarantine webhook setup example

To create an automation profile for FortiGate Quarantine (Formerly Ban IP action) or FortiSwitch Quarantine via FortiLink, the incoming webhook needs to be setup on FortiGate to accept requests from FortiNDR. You can register them in Security Fabric > Automation Framework.

The following example shows you how to set up webhooks for FortiGate Quarantine to quarantine infected hosts through FortiGate.

To set up a webhook for Ban IP:
  1. In FortiGate, go to System > Admin Profiles and create a profile, for example, ipblocker_test and set the following Access Permissions.
    Tooltip

    Ensure the selected Administrator profile has sufficient privileges to execute CLI scripts.

  2. In FortiGate, go to System > Administrators and create a REST API Admin using the ipblocker_test admin profile.

  3. Select the Virtual Domains to be associated with the generated API key.

    You can also restrict access to FortiNDR by setting up Trusted Hosts for the API profile.

  4. Save the generated New API key as you need that to register the automation profile in FortiNDR.

  5. In FortiGate, go to Security Fabric > Automation and create an Automation Stitch for Ban IP actions.

    Select Incoming Webhook and enter a Name to be used to register the automation profile.

  6. In the New Automation StitchCLI Script section, enter the following script. Substitute root with a VDOM.
    config vdom  
edit root
diagnose user quarantine add src4 %%log.srcip%% %%log.expiry%% admin

    This example requires two webhooks, one that executes the Ban IP action (this ip_blocker example). Another webhook executes the unban IP action.

    Tooltip

    We recommend maintaining a consistent naming pattern for the Stitch and Trigger names. For example, ip_blocker and ip_unblocker.

  7. Repeat the above step to create a webhook to execute the unban IP action, for example, ip_unblocker.

    In the New Automation StitchCLI Script section, enter the following script for the unban IP action. Substitute root with a VDOM.

    config vdom  
edit root
diagnose user quarantine delete src4 %%log.srcip%%

    FortiOS v6.4:

    FortiOS v7.0.1

    Note

    For the CLI script example, config vdom edit root is not needed when FortiGate disabled VDOM mode.

  8. Register the Webhook name in the Automation Profile.

Previous
Next