Knowledgebase
Knowledgebase: English > Configuration Guide > DLP
FortiGate integration
Posted by Michael Skoupý, Last modified by Michael Skoupý on 13 November 2019 02:38 PM

Supported product versions 

  • Safetica 9.3+ 
  • FortiGate running FortiOS 6.2+ 
    • FortiGate SSL inspection may be required for the integration to function properly
    • FortiOS 6.2.2+ hides parts of the DLP configuration GUIhowever, the functionality is still available and accessible via the FortiGate CLI 

Integrate FortiGate with Safetica 

1. Log in to FortiGate management console
2. Go to System/Admin Profiles and click on [Create New] 
3. Choose a Name for your Safetica admin profile and make sure to set at least these required permissions: 

Access Control 

Minimal required permission 

Required for 

Firewall 

Read/Write 

Getting information about SSL certificates and creating pre-configured firewall policies 

System > Configuration 

Read 

Getting information about SSL certificates 

Security Profile > Data Loss Prevention 

Read/Write 

Creating DLP sensors which detect Safetica classification 

VPN 

Read 

Getting information about SSL certificates 

4. Go to System/Administrators and click on [Create New > REST API Admin]

  • Choose a Username for your Safetica REST API Admin 
  • Under Administrator Profile select the profile created in previous steps 
  • Turn PKI Group off 
  • Under Trusted Hosts make sure that your Safetica Management Server’s IPv4 or IPv6 address is included (e.g. 192.20.30.40/32 or fe80:1e1f:802e:1af5:50af:fdc2:1a10:f414/128)
  • Confirm by clicking [OK] and you will be shown the API key for your new Safetica REST API admin – copy it to a secure place 

5. Log in to Safetica Management Console
6. Go to Maintenance/Integration settings/FortiGate Integration and click on [Connect to FortiGate]

  • Enter your FortiGate address – you may use: 
    • An IP addressincluding the http(s):// prefix (e.g. https://192.10.20.30)
    • a domain name (e.g. FORTIGATE) 
  • Enter your FortiGate API key obtained in previous steps 
  • Click on [OK] 
  • Once the connection is verified without errors, save your settings by clicking on [Save settings] 

 

Synchronize FortiGate SSL inspection with Safetica 

  1. Log in to Safetica Management Console 
  2. Go to Maintenance/Integration settings/FortiGate Integration, locate the relevant FortiGate instance and click on [Edit] 
  3. Turn on Import all SSL certificates and distribute them using Safetica 
  4. Click on [OK] 
  5. Click on [Save settings] 

When you refresh the view, all active SSL certificates from FortiGate will be listed in Safetica‘s Network Certificates section. 

To remove imported SSL certificates, you can remove them in FortiGate and refresh the sync state in Safetica Management Console by clicking on the [Refresh] button. Alternatively, to remove all synced SSL certificates, you can turn off Import all SSL certificates and distribute them using Safetica. 

If you need a more selective way to sync SSL certificatesyou can import individual certificates manually under Network Certificates using the [Import] button. 

 

Synchronize Safetica data classification with FortiGate 

Since version 9.3 Safetica offers data classification stored in persistent metadata. Data categories that use this technology can be synchronized with FortiGate so that classified files are detected on network and FortiGate can take action. 

To configure automatic synchronization of Safetica data classification with FortiGate: 

  1. Log in to Safetica Management Console 
  2. Go to Maintenance/Integration settings/FortiGate Integration, locate the relevant FortiGate instance and click on [Edit] 
  3. Turn on Create FortiGate policies for detecting Safetica data categories 
  4. You can switch between Log Only and Block actions to configure what will happen to Safetica-classified files when they are detected by the FortiGate appliance 
  5. Click on [OK] 
  6. Click on [Save settings] 

Compatible Safetica data categories will be created on the FortiGate appliance as preconfigured DLP sensors and preconfigured but inactive IPv4 and IPv6 firewall policies. 

You can either use the preconfigured policies to activate the detection of Safetica classification on your FortiGate, or you can simply introduce a set dlp sensor parameter for one of your existing firewall policies. 

FortiGate DLP sensors created by Safeica will be named after Safetica data categories and will be preconfigured what to detect and what action to takeTo review the new DLP sensors, use the following FortiGate CLI command: 

# show dlp sensor 

Policies created by Safetica will have the prefix Safetica4 or Safetica6 and will include a preconfigured parameter set dlp-sensor. To review the new IPv4 and IPv6 FortiGate policies, use the following FortiGate CLI commands: 

# show firewall policy
# show firewall policy6 

FortiGate service alert 

If you want to make sure that your configured FortiGate integration works correctly, you can set up a Safetica service alert which will warn you when an error has occurred on a synchronized FortiGate appliance: 

  1. Log in to Safetica Management Console 
  2. Go to Alerts and click on [New rule] 
  3. Follow the configuration wizard 
  4. When you reach the SERVICE ALERTS section, tick the FortiGate sync error alert 
  5. Finish the configuration wizard 
  6. Click on [Save settings] 

 

Viewing FortiGate DLP logs 

To view FortiGate logs generated by DLP sensors, use the following FortiGate CLI commands: 

# execute log filter category utm-dlp
# execute log display 

(1 vote(s))
Helpful
Not helpful