Here at AT&T Cybersecurity, we feel strongly that security should fit into your business, not the other way around. We lower the friction security brings to day-to-day operations through automating the essential security operations such as detection and response. By integrating different security products together to form a consolidated security architecture, companies can be protected with less effort.
Recently, we’ve taken another step on this journey by releasing a new pair of Advanced AlienApps for Fortinet. Our Advanced AlienApps for FortiGate and FortiManager join our suite of existing AlienApps for Fortinet to enable collection of data and security response across the entire Fortinet product suite.
The FortiGate and FortiManager integrations unlock multiple response actions that make SOC analysts aware of what’s happening with network security and allow them to respond to alarms quickly. Let’s take a look.
FortiGate: Easy Firewall Integration
The easiest, most straightforward integration comes via the FortiGate Advanced AlienApp. This AlienApp allows SOC analysts to send response actions from Alarms or Events directly to your Fortinet firewall. It is intended for use on a single firewall or HA pair of firewalls, and it allows the following response actions:
- Add a source or destination address to an Address Group. The most common use case for this integration is shown in the figure 2 – blocking access to a potentially malicious internet destination. This functionality can also be used to unblock addresses once the crisis is resolved.
- Add to custom category. If you are using URL filtering categories to block access to inappropriate or potentially dangerous web sites, this method will enable you to add a URL to one of your custom categories. Note that this is useful to block or unblock site
- Add address to static URL filter.
FortiManager Integration
Integration with FortiManager opens up more use cases. FortiManager typically controls many different firewalls in your environment. Consider the simple use case above – blocking access to a malware command and control. If there is only one way out of your network, then the FortiGate implementation has you covered, but if you have path diversity, with different exits in different parts of the world or with different providers, the FortiManager integration is needed.
This integration does the same set of actions, but communicates with the FortiManager instead of an individual firewall:
- Add address to Address Group, Custom Category, or URL filter rule
- Add address to Address. Group, Category, or URL using a rule
However, FortiManager will propagate the address group or URL rules down to all the firewalls in the infrastructure they apply to. This way, all the doors and windows can be closed the threat with a single response action from USM Anywhere. Note that it may take a couple of minutes for all the changes to occur.
Advanced AlienApp Dashboards
As with all Advanced AlienApps, we’ve included a rich dashboard for both FortiManager and FortiGate. The FortiManager dashboard above gives a quick look at active users, alert trends, and event types. The FortiGate dashboard includes events over time, top source countries, top destination countries, and events by action. While most of this information is also viewable in the FortiManager and FortiGate console, this dashboard gives you centralized security visibility, allowing you to see all your security dashboards in one place without needing to login to each product.
Try out these new AlienApps
AlienApps are included for all USM Anywhere customers at no extra charge. Try USM Anywhere by starting a Free 14-Day Trial of USM Anywhere today to see how AlienApps can help your organization work more efficiently to reduce the time between threat detection and response.
