As USM Anywhere surfaces events, alarms, and vulnerabilities, you can use Fortinet FortiManager actions to respond to the events in your environment. Rather than manually adding addresses in the FortiManager user interface (UI) and entering the relevant information, you can use the AlienApp for Fortinet FortiManager response actions to automatically manage your FortiManager firewall using information from your USM Anywhere environment. The table below shows these actions.
Add Address to Static URL Filter
Run this action to add the source or destination address to a static URL filter in your FortiManager environment.
|Add Address to Address Group||Run this action to add the destination address to a group in your FortiManager environment. If the group entered doesn't exist in FortiManager, it will be created by the action from USM Anywhere.|
|Add to Custom Category||Run this action to add an address to a group in your FortiManager environment.|
|Add Category to External Block List||Add items to your external block list using a custom category as a filter.|
|Add Domain to External Block List||Add a domain to your external block list.|
|Add IP Address to External Block List||Add IP address to your external block list.|
To view information about these actions in USM Anywhere
- In USM Anywhere, go to Data Sources > AlienApps.
- Click the Available Apps tab.
- Search for the AlienApp, and then click the tile.
From here, you can click one of the following tabs to display more information.
- Actions: Displays information regarding the supported AlienApps actions.
- History: Displays information about the executed actions.
- Block List-IP Address: Displays the IP addresses in the external block list and enables you to modify them.
- Block List-Domain: Displays the domains in the external block list and enables you to modify them.
- Block List-Category: Displays the categories in the external block list and enables you to modify them.
Launch Actions from USM Anywhere
When you review the information in the Alarm Details, Event Details, or Vulnerability Details, you can easily launch an action to send a request to your connected FortiManager instance to add source or destination IP information from the event to existing FortiManager ADOMs. If you want to apply an action to similar events that occur in the future, you can also create orchestration rules directly from an action applied to an alarm, event, or vulnerability.
To launch a FortiManager response action for an alarm, event, or vulnerability
- Go to Activity > Alarms, Activity > Events, or Environment > Vulnerabilities.
- Click the alarm, event, or vulnerability to open the details.
- Click Select Action.
In the Select Action dialog box, select Run FortiManager Action.
Select the app action and fill out the fields that are populated below.
After USM Anywhere initiates the action for an alarm or event, it displays a confirmation dialog box.
If you want to create a rule to apply the action to similar items that occur in the future, click Create rule for similar alarms or Create rule for similar events and define the new rule. If not, click OK.
The external block lists for IP addresses, domains, and categories, are all contained in the AlienApp for Fortinet FortiManager page (Data Sources > AlienApps > Fortinet FortiManager). For each tab, you can see the list of all the items on the block list, and you can remove individual items by clicking the icon next to the item. Each tab also contains three buttons above the list:
- Add: Opens a dialog box to add an IP address, domain, or category to the list.
Import: Opens a dialog box to import a text file to import a list of IP addresses, domains, or categories to the list. This enables you to take your copied block list from another sensor and apply it to the current sensor.
- Export: Exports the entire IP address, domain, or category list as a downloadable .txt file. This enables you to copy your block list to another sensor.
- Clear: Clears the entire IP address, domain, or category list.