USM Anywhere™

Configuring the AlienApp for Fortinet FortiManager

Role Availability Read-Only Analyst Manager

To use the FortiManager App in USM Anywhere, you first need to log in to FortiManager to create an administrator account for connection with USM Anywhere.

To create the administrator account in FortiManager

  1. Log in to the FortiManager graphical user interface (GUI).
  2. Go to System Settings > System Settings.
  3. On the dashboard panel, go to Admin > Administrators and click Create New.
  4. In the New Administrator window, enter a name and password for the new account and enable the following settings:

    Admin Profile: Super_User

    Administrative Domain: All ADOMs

    Policy Package Access: All Packages

    JSON API Access: Read-Write

  5. Click OK to save the new administrator profile.

Connecting the AlienApp for Fortinet FortiManager in USM Anywhere

After you obtain the credentials, you must configure the connection within USM Anywhere.

To enable the AlienApp for Fortinet FortiManager

  1. In USM Anywhere, go to Data Sources > AlienApps.
  2. Click the Available Apps tab.
  3. Search for the AlienApp, and then click the tile.
  4. Click Configure API.
  5. If you have more than one deployed USM Anywhere Sensor, select the sensor that you want to use for the enabled AlienApp.

    AlienApps operate through a deployed sensor and use APIs to integrate with the connected third-party technology. Select the sensor that can access the integration endpoint. The HTTPS connections to the API will originate from this sensor, so it is important to make sure the sensor has network access to the AlienApp API endpoints.

  6. Enter the IP Address or FQDN.

  7. Enter the username for the account you created in the FortiManager GUI.
  8. (Optional) Select Validate HTTPS host name and Require CA certificate checkboxes and enter the certificate authority (CA) certificate if you want to use this option.
  9. Click Save.

Uploading a CA Certificate (Optional)

If you leave the Require CA Certificate checkbox deselected, the AlienApp uses the browser's default trust store. When you select the Require CA Certificate checkbox, the certificate entered in the CA Certificate field takes precedence and is the only certificate trusted by the client.

There are two major use cases that might require you to upload your own certificate in the CA Certificate field:

  • The firewall was deployed with a self-signed Secure Sockets Layer (SSL) certificate. A certificate like this is typically generated on the firewall at the time of deployment. In this case, you need to export that self-signed certificate from the firewall and paste it into the CA Certificate field.
  • You have deployed the firewall with a SSL certificate signed by your own CA. In this case, you need to import the root and intermediate certificates, if any, from your CA. This way, the AlienApp has the same trusted certificate chain that are deployed on your firewall.