USM Anywhere™

Configuring the AlienApp for Fortinet FortiManager

Role Availability Read-Only Analyst Manager

To use the Fortinet FortiManager App in USM Anywhere, you first need to log in to FortiManager to create an administrator account for connection with USM Anywhere.

To create the administrator account in FortiManager

  1. Log in to the FortiManager graphical user interface (GUI).
  2. Go to System Settings > System Settings.
  3. On the dashboard panel, go to Admin > Administrators and click Create New.
  4. In the New Administrator window, enter a name and password for the new account and enable the following settings:

    • Admin Profile: Super_User
    • Administrative Domain: All ADOMs
    • Policy Package Access: All Packages
    • JSON API Access: Read-Write
  5. Click OK to save the new administrator profile.

Connecting the AlienApp for Fortinet FortiManager in USM Anywhere

After you obtain the credentials, you must configure the connection within USM Anywhere.

To enable the AlienApp for Fortinet FortiManager

  1. In USM Anywhere, go to Data Sources > AlienApps.
  2. Click the Available Apps tab.
  3. Search for the AlienApp, and then click the tile.
  4. Click Configure API.
  5. If you have more than one deployed USM Anywhere Sensor, select the sensor that you want to use for the enabled AlienApp.

    AlienApps operate through a deployed sensor and use APIs to integrate with the connected third-party technology. Select the sensor that can access the integration endpoint. The HTTPS connections to the API will originate from this sensor, so it is important to make sure the sensor has network access to the AlienApp API endpoints.

  6. Enter the IP Address or FQDN.

  7. Enter the username for the account you created in the FortiManager GUI.
  8. (Optional) Select Validate HTTPS host name and Require CA certificate checkboxes and enter the certificate authority (CA) certificate if you want to use this option.
  9. (Optional) Create a name and password for the external block list.
  10. Click Save.

Create and Link Credentials for the External Block Lists (Optional)

The AlienApp for Fortinet FortiManager can utilize USM Anywhere to populate and manage external block lists for IP addresses, domains, and FortiGuard categories. To use the external block lists feature in USM Anywhere, you need to create a name and password in the AlienApp for Fortinet FortiManager API configurations page and enter it into your FortiManager instance. See the Fortinet documentation on Threat Feed configuration for further details.

To configure the external block list connection in FortiManager

  1. Log in to the FortiManager graphical user interface (GUI).
  2. Go to Policy & Objects > Threat Feeds.
  3. Click Create New.
  4. Select either FortiGuard Category, IP Addresses, or Domain Name to create a connected block list for the selected item.
  5. Enter a name for the new threat feed.
  6. In the URI of external resource field, your URI will be populated as follows:

    http://192.168.1.1:0/apps/apiActions/fortiGate/getblocklist?

    Following the question mark, you need to enter either type=ipaddress, type=domain, or type=category, depending on which you are creating a threat feed for.

  7. Enter the username and password you created previously in the AlienApp for Fortinet FortiManager Configure API page in AlienVault.
  8. (Optional) Enter the Category ID, Refresh Rate, and Comments.
  9. Click OK to save the new Threat Feed.
  10. Repeat steps 3-9 for each block list (Category, IP Addresses, and Domain Name).

Uploading a CA Certificate (Optional)

If you leave the Require CA Certificate checkbox deselected, the AlienApp uses the browser's default trust store. When you select the Require CA Certificate checkbox, the certificate entered in the CA Certificate field takes precedence and is the only certificate trusted by the client.

There are two major use cases that might require you to upload your own certificate in the CA Certificate field:

  • The firewall was deployed with a self-signed Secure Sockets Layer (SSL) certificate. A certificate like this is typically generated on the firewall at the time of deployment. In this case, you need to export that self-signed certificate from the firewall and paste it into the CA Certificate field.
  • You have deployed the firewall with a SSL certificate signed by your own CA. In this case, you need to import the root and intermediate certificates, if any, from your CA. This way, the AlienApp has the same trusted certificate chain that are deployed on your firewall.