Fortinet black logo

CLI reference

Home FortiNDR 7.0.3 CLI reference
7.0.3
7.4.3
7.4.2
7.4.1
7.4.0
7.2.3
7.2.2
7.2.1
7.2.0
7.1.0
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0

config system automation-settings

config system automation-settings

Use this command to configure the automation profiles used by the FortiNDR enforcement feature.

Syntax

config system automation-settings
    	  edit <name_str>
                     set type {fgt-quarantine|fnac-quarantine| fsw-quarantine-via-fortilink|generic-webhook}
                     set vdom <vdom_str>
                     set api-key <apikey_str>
                     set webhook-config <config_str>
                     set ip <ip_addr>
                     set port <port_int>
                     set status {enable | disable}
                     set source {fabric-device | sniffer}
                     set profile <enforcement_profile_name>
                end

Variable

Description

Default

name <string>

Automation Profile name

Fgt-quarantine

type {fgt-quarantine|fnac-quarantine|fsw-quarantine-via-fortilink|generic-webhook}

FortiNDR supports four types of automated quarantine: fgt-quarantine, fnac-quarantine, fsw-quarantine-via-fortilink and generic-webhook

root

vdom <vdom_str>

The VDOM of the FortiGate. Only applicable to fgt-quarantine and fsw-quarantine-via-fortilink.

api-key <apikey_str>

API key of the device. Only applicable to fgt-quarantine, fsw-quarantine-via-fortilink and fnac-quarantine.

webhook-config <config_str>

The webhook configuration to be used by FortiNDR enforcement.

Only applicable to fgt-quarantine , fsw-quarantine-via-fortilink and generic-webhook.

For fgt-quarantine or fsw-quarantine-via-fortilink:

{"webhook_exec" :"ip_blocker", "webhook_undo": "ip_unblocker"}

For generic-webhook:

{"webhook_exec" :{"url":"https://host1.com:443/api/ip_blocker","method":"post","http_body":"{\"srcip\":\"%%srcip%%\"}","headers":{"content-type":"application/json"}}, "webhook_undo":{"url":"https://host1.com:443/api/ip_unblocker","method":"post","http_body":" {\"srcip\":\"%%srcip%%\"}","headers":{"content-type":"application/json"}}

}

To enter the JSON data through CLI, the JSON string must be formatted as one line and enclosed in single quotes (').

ip <ip_addr>

IP address of the device. Only applicable to fgt-quarantine, fsw-quarantine-via-fortilink and fnac-quarantine.

port <port_int>

Port number of the device. Only applicable for fgt-quarantine, fsw-quarantine-via-fortilink and fnac-quarantine.

443

Status {enable | disable}

Enable or disable the automation profile.

enable

source {fabric-device | sniffer}

Set the source of detection that applies to the current profile. Only applicable for fgt-quarantine fsw-quarantine-via-fortilink.

Fabric-device

profile <enforcement_profile_name>

The enforcement profile to be used by the current automation setting.

default

Previous
Next

config system automation-settings

Use this command to configure the automation profiles used by the FortiNDR enforcement feature.

Syntax

config system automation-settings
    	  edit <name_str>
                     set type {fgt-quarantine|fnac-quarantine| fsw-quarantine-via-fortilink|generic-webhook}
                     set vdom <vdom_str>
                     set api-key <apikey_str>
                     set webhook-config <config_str>
                     set ip <ip_addr>
                     set port <port_int>
                     set status {enable | disable}
                     set source {fabric-device | sniffer}
                     set profile <enforcement_profile_name>
                end

Variable

Description

Default

name <string>

Automation Profile name

Fgt-quarantine

type {fgt-quarantine|fnac-quarantine|fsw-quarantine-via-fortilink|generic-webhook}

FortiNDR supports four types of automated quarantine: fgt-quarantine, fnac-quarantine, fsw-quarantine-via-fortilink and generic-webhook

root

vdom <vdom_str>

The VDOM of the FortiGate. Only applicable to fgt-quarantine and fsw-quarantine-via-fortilink.

api-key <apikey_str>

API key of the device. Only applicable to fgt-quarantine, fsw-quarantine-via-fortilink and fnac-quarantine.

webhook-config <config_str>

The webhook configuration to be used by FortiNDR enforcement.

Only applicable to fgt-quarantine , fsw-quarantine-via-fortilink and generic-webhook.

For fgt-quarantine or fsw-quarantine-via-fortilink:

{"webhook_exec" :"ip_blocker", "webhook_undo": "ip_unblocker"}

For generic-webhook:

{"webhook_exec" :{"url":"https://host1.com:443/api/ip_blocker","method":"post","http_body":"{\"srcip\":\"%%srcip%%\"}","headers":{"content-type":"application/json"}}, "webhook_undo":{"url":"https://host1.com:443/api/ip_unblocker","method":"post","http_body":" {\"srcip\":\"%%srcip%%\"}","headers":{"content-type":"application/json"}}

}

To enter the JSON data through CLI, the JSON string must be formatted as one line and enclosed in single quotes (').

ip <ip_addr>

IP address of the device. Only applicable to fgt-quarantine, fsw-quarantine-via-fortilink and fnac-quarantine.

port <port_int>

Port number of the device. Only applicable for fgt-quarantine, fsw-quarantine-via-fortilink and fnac-quarantine.

443

Status {enable | disable}

Enable or disable the automation profile.

enable

source {fabric-device | sniffer}

Set the source of detection that applies to the current profile. Only applicable for fgt-quarantine fsw-quarantine-via-fortilink.

Fabric-device

profile <enforcement_profile_name>

The enforcement profile to be used by the current automation setting.

default

Previous
Next