Fortinet black logo

Administration Guide

Home FortiNDR 7.0.3 Administration Guide
7.0.3
7.4.3
7.4.2
7.4.1
7.4.0
7.2.3
7.2.2
7.2.1
7.2.0
7.1.0
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0

Automation Framework

Automation Framework

A single enforcement profile can be selected with different automation profiles. This provides you with more flexibility in the response action. The following diagram illustrates the relationship between Enforcement and Automation profiles.

To create an automation profile:
  1. Go to Security Fabric > Automation Framework.
  2. In the toolbar, click Create New.
  3. Configure the profile settings:

    Profile NameEnter a name for the profile.
    EnableEnable or disable the framework.
    Enforcement ProfileClick to select and profile from the Enforcement Settings. See Creating an Enforcement Profile.
    Action

    Select one of the following actions:

    • FortiGate Quarantine
    • FortiNAC Quaranitne
    • Generic Webhook
    Source

    		Fabric Device: If the source of detection came from OFTP, the enforcement is only executed to a matching automation profile with a matching IP address and VDOM.

    Sniffer: If the source of detection came from a sniffer, the enforcement is adapted by all profiles where Trigger Source is Sniffer. Since detection sourced from sniffer does not contain information about which fabric device monitors the infected IP address, it is your responsibility to specify the correct device IP address and VDOM.

    API Key

    Enter the device API key

    IPEnter the device IP address.
    PortEnter the device port number.
    VDOM

    Enter the VDOM info.

    Only applicable to FortiGate Quarantine and FortiSwitch Quarantine via FortiLink.

    WebHook Name for Execution

    Select the FortiGate webhook for execution action, such as ip_blocker.

    Only applicable to FortiGate Quarantine and FortiSwitch Quarantine via FortiLink.

    WebHook Name for Undo

    Select the FortiGate webhook for undo action, such as ip_unblocker.

    Only applicable to FortiGate Quarantine and FortiSwitch Quarantine via FortiLink.

    Webhook Execution Settings

    Enter the URL, Method, Header and HTTP body Template for Execution webhook settings.

    Only applicable to Generic Webhook.

    Webhook Undo Settings

    Enter the URL, Method, Header and HTTP body Template for Undo webhook settings.

    Only applicable to Generic Webhook.

  4. Test the configureaiton
  5. Click OK.
Previous
Next

Automation Framework

A single enforcement profile can be selected with different automation profiles. This provides you with more flexibility in the response action. The following diagram illustrates the relationship between Enforcement and Automation profiles.

To create an automation profile:
  1. Go to Security Fabric > Automation Framework.
  2. In the toolbar, click Create New.
  3. Configure the profile settings:

    Profile NameEnter a name for the profile.
    EnableEnable or disable the framework.
    Enforcement ProfileClick to select and profile from the Enforcement Settings. See Creating an Enforcement Profile.
    Action

    Select one of the following actions:

    • FortiGate Quarantine
    • FortiNAC Quaranitne
    • Generic Webhook
    Source

    		Fabric Device: If the source of detection came from OFTP, the enforcement is only executed to a matching automation profile with a matching IP address and VDOM.

    Sniffer: If the source of detection came from a sniffer, the enforcement is adapted by all profiles where Trigger Source is Sniffer. Since detection sourced from sniffer does not contain information about which fabric device monitors the infected IP address, it is your responsibility to specify the correct device IP address and VDOM.

    API Key

    Enter the device API key

    IPEnter the device IP address.
    PortEnter the device port number.
    VDOM

    Enter the VDOM info.

    Only applicable to FortiGate Quarantine and FortiSwitch Quarantine via FortiLink.

    WebHook Name for Execution

    Select the FortiGate webhook for execution action, such as ip_blocker.

    Only applicable to FortiGate Quarantine and FortiSwitch Quarantine via FortiLink.

    WebHook Name for Undo

    Select the FortiGate webhook for undo action, such as ip_unblocker.

    Only applicable to FortiGate Quarantine and FortiSwitch Quarantine via FortiLink.

    Webhook Execution Settings

    Enter the URL, Method, Header and HTTP body Template for Execution webhook settings.

    Only applicable to Generic Webhook.

    Webhook Undo Settings

    Enter the URL, Method, Header and HTTP body Template for Undo webhook settings.

    Only applicable to Generic Webhook.

  4. Test the configureaiton
  5. Click OK.
Previous
Next