- 26 Dec 2024
- 5 Minutes to read
- Print
- DarkLight
- PDF
Fortinet FortiGate
- Updated on 26 Dec 2024
- 5 Minutes to read
- Print
- DarkLight
- PDF
Fortinet FortiGate is a next-generation firewall providing security and visibility for end-to-end protection across the entire enterprise network.
Types of Assets Fetched
This adapter fetches the following types of assets:
- Devices
- Users
- Groups
- Firewall Rules
- Alerts/Incidents
Parameters
- Host Name (required) - The hostname or IP address of the Fortinet FortiGate server.
- Port (optional) - If not supplied, Axonius will use TCP port 443.
- User Name and Password (optional) - The credentials for a user account that has the Required Permissions to fetch assets.
For FortiOS connections only, When FortiOS API Key is not supplied, User Name and Password are required. This does not apply to FortiManager connections.
- Virtual Domain (optional) - Specify a comma-separated list of Virtual Domains (VDOMs).
- If supplied, Axonius will fetch data from specified virtual domains.
- If not supplied, Axonius will use 'vdom' value.
- FortiOS API Key (optional) - An API Key associated with a user account that has the Required Permissions to fetch assets. For information on how to create the FortiOS API Key, see Create the FortiOS API Key.
For FortiOS connections only, when FortiOS API Key is provided, User Name and Password are not supplied and authentication should be attempted using the Bearer Token. This does not apply to FortiManager connections.
Is FortiManager Server - Select whether the Fortinet FortiGate is a FortiManager server.
Verify SSL - Select whether to verify the SSL certificate of the server against the CA database inside of Axonius. For more details, see SSL Trust & CA Settings.
HTTPS Proxy (optional) - Connect the adapter to a proxy instead of directly connecting it to the domain.
HTTPS Proxy User Name (optional) - The user name to use when connecting to the value supplied in Host Name or IP Address via the value supplied in HTTPS Proxy.
HTTPS Proxy Password (optional) - The password to use when connecting to the server using the HTTPS Proxy.
To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.
Advanced Settings
Advanced settings can either apply for all connections for this adapter, or you can set different advanced settings and/or different scheduling for a specific connection, refer to Advanced Configuration for Adapters.
- DHCP lease time (seconds) (required, default: 604800) - Specify the DHCP lease time, that refers to the life of an IP address remains assigned to a device.
- Interfaces exclude list (optional) - Specify a comma-separated list of Fortinet FortiGate interfaces.
- If supplied, all connections for this adapter will only fetch devices that are not associated with the specified interfaces.
- If not supplied, all connections for this adapter will fetch devices associated with any interface.
- VMware Interfaces exclude list (optional) - Specify a comma-separated list of Fortinet FortiGate interfaces.
- If supplied, all connections for this adapter will only fetch virtual devices that are not associated with the specified interfaces.
- If not supplied, all connections for this adapter will fetch virtual devices associated with any interface.
- Do not fetch OS Type field (optional) - Select to exclude fetching data from the OS Type field.
- Allow IPSEC VPN devices - Select to allow fetching IPSEC VPN devices.
- Fetch managed Fortigate devices - Select to fetch managed FortiGate devices.
- Use Fortigate new OS version parser - Select this option to fetch the OS minor version from another field on a FortiOS device instance.
- Fetch firewall rules - Select this option to fetch all the firewall rules, as well as their policies and addresses.
- Maximum number of chunks (default:50) - Enter a number to set the maximum number of parallel chunks to fetch information from the ADOMs. This can be a value between 50 and 100. Select the number of parallel calls that works best with your system.
- Fetch VPN SSL Sessions as Devices - Select this option to fetch VPN SSL sessions as Devices.
For details on general advanced settings under the Adapter Configuration tab, see Adapter Advanced Settings.
Create the FortiOS API Key
Step 1: Create an Administrator profile
To create a profile that only has Read access to the firewall address permission group, follow the steps below.
- In the FortiGate GUI, select System > Admin Profiles > Create New.
- Select at least read permissions for:
- User/Device
- Firewall
- Policy
- Address
- Schedule
- Network
- System
- VPN
- WiFi and Switch
- Click OK.
Step 2: Create the REST API Admin
To create the FortiOS API admin, follow the steps below.
In the FortiGate GUI, select System > Administrators > Create New > REST API Admin.
Populate the fields as shown below:
In 6.4.2 and earlier, the Trusted Host must be specified to ensure that your local host can reach the FortiGate. For example, to restrict requests as coming from only 10.20.100.99, enter 10.20.100.99/32.
Click OK and an API token will be generated.
Make note of the API token as it is only shown once and cannot be retrieved. It will be needed for the rest of the process.
Click Close to complete the creation of the REST API Admin.
Required Permissions
The value supplied in User Name must have read access to devices.
Step 1: Create an Administrator profile
The JSON API admin should have the minimum permissions required to complete the request.
On the FortiManager GUI, select System Settings > Admin Profiles > Create New.
Populate the fields as shown in the image below.
Select the permissions of your choice.
Click OK.
Step 2: Create the JSON API Admin
When you have your administrator profile, use the steps below to create the FortiManager API admin. You need to create a FortiManager API locally defined API admin user
The API admin can be locally defined or defined on some external LDAP, RADIUS, TACACS servers.
- On the FortiManager GUI, select System Settings > Administrators > Create New.
- Populate the fields as shown in the image below. Make sure you assign select:read (rpc-permit), ALL ADOMs, and ALL Packages (Policy Package Access).
- Click OK.
Version Matrix
This adapter was only tested with the versions marked as supported, but may work with other versions. Contact Axonius Support if you have a version that is not listed, which is not functioning as expected.
Version | Supported | Notes |
---|---|---|
5.3.0 | Yes |
Supported From Version
Supported from Axonius version 4.5