Knowledgebase
Knowledgebase: English > Configuration Guide > DLP
FortiGate integration
Posted by Michael Skoupý, Last modified by Michael Skoupý on 02 October 2019 09:25 AM

Supported product versions 

  • Safetica 9.3+ 
  • FortiGate running FortiOS 6.2+ 

Integrate FortiGate with Safetica 

  1. Log in to FortiGate management console 
  1. Go to System/Admin Profiles and click on [Create New] 
  1. Choose a Name for your Safetica admin profile and make sure to set at least these required permissions: 

Access Control 

Minimal required permission 

Required for 

Firewall 

Read 

Checking which SSL certificates are actively used 

System> Configuration 

Read 

Getting information about SSL certificates 

Security Profile > Data Loss Prevention 

Read/Write 

Creating DLP sensors which detect Safetica classification 

VPN 

Read 

Getting information about SSL certificates 

  1. Go to System/Administrators and click on [Create New > REST API Admin] 
  • Choose a Username for your Safetica REST API Admin 
  • Under Administrator Profile select the profile created in previous steps 
  • Turn PKI Group off 
  • Under Trusted Hosts make sure that your Safetica Management Server’s IPv4 or IPv6 address is included (e.g. 192.20.30.40/32 or fe80:1e1f:802e:1af5:50af:fdc2:1a10:f414/128) 
  • Confirm by clicking [OK] and you will be shown the API key for your new Safetica REST API admin – copy it to a secure place 
  1. Log in to Safetica Management Console 
  1. Go to Maintenance/Integration Settings/Fortigate Integration and click on [Connect to FortiGate] 
  • Enter your FortiGate address – you may use: 
  1. An IP address, including the http(s):// prefix (e.g. https://172.20.4.222) 
  1. a domain name (e.g. FORTIGATE) 
  • Enter your FortiGate API key obtained in previous steps 
  • Click on [OK] 
  • Once the connection is verified without errors, save your settings by clicking on [Save settings] 

 

Synchronize FortiGate SSL certificates with Safetica 

  1. Log in to Safetica Management Console 
  1. Go to Maintenance/Integration Settings/Fortigate Integration, locate the relevant Fortigate instance and click on [Edit] 
  1. Turn on Import all SSL certificates and distribute them using Safetica 
  1. Click on [OK] 
  1. Click on [Save settings] 

The view will reload and all active SSL certificates from FortiGate will be listed in the Network Certificates section. 

To remove synced SSL certificates, you can remove them in FortiGate and refresh the sync state in Safetica Management Service by clicking on the [Refresh] button. Alternatively, to remove all synced SSL certificates, you can turn off Import all SSL certificates and distribute them using Safetica. 

If you need a more selective way to sync SSL certificatesyou can import individual certificates manually under Network Certificates using the [Import] button. 

 

Synchronize Safetica data categories as FortiGate DLP sensors 

Since version 9.3 Safetica offers data classification stored in persistent metadata. Data categories that use this technology can be synchronized with FortiGate so that classified files are detected on network and FortiGate can take action. 

To configure automatic sync of Safetica data classification as FortiGate DLP sensors: 

  1. Log in to Safetica Management Console 
  1. Go to Maintenance/Integration Settings/FortiGate Integration, locate the relevant Fortigate instance and click on [Edit] 
  1. Turn on Sync Safetica data categories as FortiGate DLP sensors 
  1. Click on [OK] 
  1. Click on [Save settings] 

Compatible Safetica data categories will show up in FortiGate under Security Policies/Data Leak Prevention. Here you can review them and possibly change the desired action taken by FortiGate when a classified file is detected. By default, the synced DLP sensor is set to Log Only. To change this: 

  1. Go to Security Policies/Data Leak Prevention 
  1. Select a relevant DLP sensor and click on [Edit] 
  1. Select a filter and click on [Edit Filter] 
  1. Select the desired action under Action 
  1. Click on [OK] 
  1. Repeat the process for all relevant filters 

 

To activate these FortiGate DLP sensors: 

  1. Go to Policy & Objects to a relevant Policy section 
  1. Create new or edit existing policies 
  1. Turn on the Security Profiles/DLP Sensor setting and select a relevant DLP sensor 
  1. Click on [OK] 

 

FortiGate service alert 

If you want to make sure that your configured FortiGate integration works correctly, you can set up a Safetica service alert which will warn you when an error has occurred on a synchronized FortiGate appliance: 

  1. Log in to Safetica Management Console 
  1. Go to Alerts and click on [New rule] 
  1. Follow the configuration wizard 
  1. When you reach the SERVICE ALERTS section, tick the FortiGate sync error alert 
  1. Finish the configuration wizard 
  1. Click on [Save settings] 

 

(0 vote(s))
Helpful
Not helpful