Overview

Details

The Fortinet Active Response add-on defined an alert action, which will enable users to block traffic from/to a particular source IP, destination IP or a network user through FortiGate's RESTful API based on correlation search result. It leverages Adaptive Response Framework solution provided by Splunk Enterprise.

Fortinet Active Response Add-on For FortiGate

Prerequisite:

Splunk 6.5 or later(Linux version)
Enterprise Security(not needed the search in the alert does not use CIM models)
Fortinet Fortigate Add-on for Splunk 1.4 or later

Installation:

Can be installed from Manage Apps->Search for FortinetAR.
Can also be installed from file, which can be downloaded from splunkbase.

Dependency libraries packaged:

eventlet 0.20.1
fortiosclient 0.0.2
jinja2 2.8.1
markupsafe 0.23
greenlet 0.4.11
netaddr 0.7.18
oslo.i18n 3.11.0
six 1.5.2

Configuration:

Click "Set up" after the add-on is installed.
Add Devices and Admin passwords for FortiGates reporting logs to Splunk.
The information will be used to send ReSTful API commands to the corresponding
FortiGate. Device ID and its admin user password will be needed here.
Add mapping between Device ID and its IP address for RestFul API or the IP
address of FortiGate which have https access enabled.

Usage:

Create an alert under Settings->Searches, Reports, and Alerts->New Alert
In Search field: fill out Search field based on the CIM datamodel if Enterprise Security and FortiGate Add-on has been installed and FortiGate has been reporting logs to the Splunk

| datamodel "Malware" "Malware_Attacks" search

sourcetype=fgt_utm subtype=virus action=blocked

if only FortiGate add-on has been installed;

Choose FortiGateActions and select the field to block if an event matches the search.
After logs matching the search has been detected, there will be a firewall policy
added in the FortiGate which trigged the event. The policy will include a
comment "fgt_ar" for users to easily identify.

Troubleshooting:

If the policy is not created on FortiGate after running active response action:

Make sure the add-on has been set up with FortiGate's information including correct device id, admin password, IP address and the IP address enables https access.
If set up is correct, you can get more information about the issue by searching:

index="summary" sourcetype="fortigateresponse"

in Search&Reporting.

More detailed information can be found in log file:

$SPLUNK_HOME/var/logs/splunk/FortiGateActions_modalert.log

For further assistance, please contact support splunk_app@fortinet.com and we will reply in 24 hours.

Release Notes

Version 1.0.4

Aug. 26, 2021

1.0.4 update xml version to support 8.2

Version 1.0.3

Feb. 3, 2021

python3 migration
add name field in auto-generated firewall policies

Version 1.0.2

Feb. 11, 2020

1.0.2:
-fix session logout issue

Version 1.0.1

Jan. 31, 2020

Fix compatibility issue with FOS6

Version 1.0.0

Jan. 14, 2017

1.0.0
1. Initial release of Fortinet Active Response Add-on for FortiGate

3,274

Downloads

Share Subscribe

Version

Built by

Fortinet Inc

Support

Not Supported

Questions on Splunk Answers Flag as inappropriate

App Contents: Alert Actions