Knowledge base
FortiGate integration
Posted by Michael Skoupý, Last modified by Dana Balaštíková on 13 October 2020 03:31 PM

Please note that integration with FortiGate is only available in Safetica Enterprise.

Supported product versions

  • Safetica 9.3+
  • FortiGate running FortiOS 6.2+
    • FortiGate SSL inspection may be required for the integration to function properly.
    • FortiOS 6.2.2+ hides parts of the DLP configuration GUI, however, the functionality is still available and accessible via the FortiGate CLI.

Integrate FortiGate with Safetica

  1. Log in to FortiGate Management Console.
  2. Go to System/Admin Profiles and click [Create New].
  3. Choose a Name for your Safetica admin profile and make sure to set at least these required permissions:

Access Control

Minimum required permissions

Required for

Firewall

Read/Write

Getting information about SSL certificates and creating pre-configured firewall policies

System > Configuration

Read

Getting information about SSL certificates

Security Profile > Data Loss Prevention

Read/Write

Creating DLP sensors which detect Safetica classification

VPN

Read

Getting information about SSL certificates

  1. Go to System/Administrators and click [Create New > REST API Admin].
    • Choose a Username for your Safetica REST API Admin.
    • Under Administrator Profile select the profile created in previous steps.
    • Turn PKI Group
    • Under Trusted Hosts make sure that your Safetica Management Server’s IPv4 or IPv6 address is included (g. 192.20.30.40/32 or fe80:1e1f:802e:1af5:50af:fdc2:1a10:f414/128).
    • Confirm by clicking [OK] and you will be shown the API key for your new Safetica REST API admin – copy it to a secure place.
  2. Log in to Safetica Management Console.
  3. Go to Maintenance/Integration settings/FortiGate Integration and click [Connect to FortiGate].
    • Enter your FortiGate address – you may use:
      1. An IP address, including the http(s):// prefix (e.g. https://192.10.20.30).
      2. A domain name (e.g. FORTIGATE).
    • Enter your FortiGate API key obtained in previous steps.
    • Click [OK].
    • Once the connection is verified without errors, save your settings by clicking [].

 

Synchronize FortiGate SSL inspection with Safetica

  1. Log in to Safetica Management Console.
  2. Go to Maintenance/Integration settings/FortiGate Integration, locate the relevant FortiGate instance and click [Edit].
  3. Turn on Import all SSL certificates and distribute them using Safetica.
  4. Click [OK].
  5. Click [].

When you refresh the view, all active SSL certificates from FortiGate will be listed in Safeticas Network Certificates section.

You can remove imported SSL certificates in FortiGate and then refresh the sync state in Safetica Management Console by clicking the [Refresh] button. Alternatively, you can remove all synced SSL certificates by turning off the option Import all SSL certificates and distribute them using Safetica.

If you need a more selective way to sync SSL certificates, you can import individual certificates manually under Network Certificates using the [Import] button.

 

Synchronize Safetica data classification with FortiGate

Since version 9.3, Safetica offers data classification stored in persistent metadata. Data categories which use this technology can be synchronized with FortiGate so that classified files are detected on the network and FortiGate can take action.

To configure automatic synchronization of Safetica data classification with FortiGate:

  1. Log in to Safetica Management Console.
  2. Go to Maintenance/Integration settings/FortiGate Integration, locate the relevant FortiGate instance and click [Edit].
  3. Turn on Create FortiGate policies for detecting Safetica data categories.
  4. You can switch between Log Only and Block actions to configure what will happen to Safetica-classified files detected by the FortiGate appliance.
  5. Click [OK].
  6. Click [].

Compatible Safetica data categories will be created on the FortiGate appliance as preconfigured DLP sensors and preconfigured but inactive IPv4 and IPv6 firewall policies.

You can either use the preconfigured policies to activate the detection of Safetica classification on your FortiGate, or you can simply introduce a set dlp sensor parameter for one of your existing firewall policies.

FortiGate DLP sensors created by Safetica will be named after Safetica data categories. They will have preconfigured what data to detect and what action to take. To review the new DLP sensors, use the following FortiGate CLI command:

# show dlp sensor

 

Policies created by Safetica will have the prefix “Safetica4” or “Safetica6” and will include a preconfigured parameter set dlp-sensor. To review the new IPv4 and IPv6 FortiGate policies, use the following FortiGate CLI commands:

# show firewall policy

# show firewall policy6

 

FortiGate service alert

If you want to make sure that your configured FortiGate integration works correctly, you can set up a Safetica service alert. It will warn you when an error has occurred on a synchronized FortiGate appliance:

  1. Log in to Safetica Management Console.
  2. Go to Alerts and click [New rule].
  3. Follow the configuration wizard.
  4. When you reach the SERVICE ALERTS section, tick the FortiGate sync error
  5. Finish the configuration wizard.
  6. Click [].

 

Viewing FortiGate DLP logs

To view FortiGate logs generated by DLP sensors, use the following FortiGate CLI commands:

# execute log filter category utm-dlp

# execute log display

Sending FortiGate DLP logs to SIEM

Besides one-off viewing of FortiGate DLP logs using the above mentioned CLI commands, you can also have them automatically sent to your SIEM. Thus, an incident will not only be logged in your FortiGate appliance, but you will also have the log available for further use.

To enable this feature:

  1. Log in to Safetica Management Console.
  2. Go to Maintenance/Integration settings/FortiGate Integration.
  3. To add a new FortiGate appliance, click [Connect to FortiGate]. Otherwise, select the relevant FortiGate appliance and click [Edit].
  4. Enable the Create FortiGate policies for detecting Safetica data categories You can choose whether detected files should be blocked or just logged.
  5. Fill in your SIEM IPv4 or IPv6 address or fully qualified domain name (g. hostname.domain.com) into the SIEM IP address/FQDN for FortiGate DLP logs (optional) field. If you leave this field empty, detected files will be either logged or blocked, but the logs will not be sent to your SIEM.
  6. Click [OK].
(1 vote(s))
Helpful
Not helpful