As USM Anywhere surfaces events, alarms, and vulnerabilities, you can use Fortinet FortiManager actions to respond to the events in your environment. Rather than manually adding addresses in the FortiManager user interface (UI) and entering the relevant information, you can use the AlienApp for Fortinet FortiManager response actions to automatically manage your FortiManager firewall using information from your USM Anywhere environment. The table below shows these actions.

Example of Alarms Generated from the Fortigate AlienApp

Action	Description
Add Address to Static URL Filter	Run this action to add the source or destination address to a static URL filter in your FortiManager environment
Add Address to Address Group	Run this action to add the destination address to a group in your FortiManager environment. If the group entered doesn't exist in FortiManager, it will be created by the action from USM Anywhere
Add to Custom Category	Run this action to add an address to a group in your FortiManager environment
Add Category to External Block List	Run this action to add items to an external block list using a custom category as a filter
Add Category to External Block List	Run this action to add a category to an external block list to restrict its access
Add Domain to External Block List	Run this action to add a domain to an external block list to restrict its access
Add IP Address to External Block List	Run this action to add an IP address into an external block list to restrict its access
Add IP Address to External Block List	Run this action to add an IP address to an external block using a predefined rule to restrict its access
Get External Block List	Run this action to retrieve the external block list

To view information about these actions in USM Anywhere

1. In USM Anywhere, go to Data Sources > AlienApps.
2. Click the Available Apps tab.
3. Search for the AlienApp, and then click the tile.

4. From here, you can click one of the following tabs to display more information.

   • Actions:Displays information regarding the supported AlienApps actions.
   • History:Displays information about the executed actions.
   • Block List-IP Address: Displays the IP addresses in the external block list and enables you to modify them.
   • Block List-Domain: Displays the domains in the external block list and enables you to modify them.
   • Block List-Category: Displays the categories in the external block list and enables you to modify them.

Launch Actions from USM Anywhere

When you review the information in the Alarm Details, Event Details, or Vulnerability Details, you can easily launch an action to send a request to your connected FortiManager instance to add source or destination IP information from the event to existing FortiManager ADOMs. If you want to apply an action to similar events that occur in the future, you can also create orchestration rules directly from an action applied to an alarm, event, or vulnerability.

To launch a FortiManager response action for an alarm, event, or vulnerability

1. Go to Activity > Alarms, Activity > Events, or Environment > Vulnerabilities.
2. Click the alarm, event, or vulnerability to open the details.
3. Click Select Action.

4. In the Select Action dialog box, select Run FortiManager Action.

5. Select the app action and fill out the fields that are populated below.

6. Click Run.

   After USM Anywhere initiates the action for an alarm or event, it displays a confirmation dialog box.

   If you want to create a rule to apply the action to similar items that occur in the future, click Create rule for similar alarms or Create rule for similar events and define the new rule. If not, click OK.

External Block List

The external block lists for IP addresses, domains, and categories, are all contained in the AlienApp for Fortinet FortiManager page (Data Sources > AlienApps > Fortinet FortiManager). For each tab, you can see the list of all the items on the block list, and you can remove individual items by clicking the icon next to the item. Each tab also contains three buttons above the list:

• Add: Opens a dialog box to add an IP address, domain, or category to the list.

• Import: Opens a dialog box to import a text file to import a list of IP addresses, domains, or categories to the list. This enables you to take your copied block list from another sensor and apply it to the current sensor.

• Export: Exports the entire IP address, domain, or category list as a downloadable .txt file. This enables you to copy your block list to another sensor.
• Clear: Clears the entire IP address, domain, or category list.