Configuring the BlueApp for Fortinet FortiGate

Role Availability Read-Only Investigator Analyst Manager

To use the BlueApp for Fortinet FortiGate in USM Anywhere, you first need to log in to FortiGate to create and obtain the API token.

To generate the API token in FortiGate

  1. Log in to the FortiGate graphical user interface (GUI).
  2. From the Status dashboard, click the Administrators widget.
  3. Click your user ID and select Show active administrator sessions.
  4. Write down or copy the source address of the user ID.

    This will be used for the API's Trusted Host field in step 8.

  5. Go to System > Admin Profiles > Create New to create a new administrator profile.
  6. Enter a name and change the Firewall and Security Profile access permissions to Read/Write (the other permissions can remain set to Read), and then click OK.
  7. Go to System > Administrators > Create New > REST API Admin.
  8. Enter all required values and use the source address you copied previously for the Trusted Host field.
  9. Click OK to generate the API token.

    Write down or copy the API token to use later when configuring the BlueApp in USM Anywhere.

Connecting the BlueApp for Fortinet FortiGate in USM Anywhere

After obtaining the credentials, you must configure the connection within USM Anywhere.

To enable the BlueApp for Fortinet FortiGate

  1. In USM Anywhere, go to Data Sources > BlueApps.
  2. Click the Available Apps tab.
  3. Search for the BlueApp, and then click the tile.
  4. Click Configure API.
  5. If you have more than one deployed USM Anywhere Sensor, select the sensor that you want to use for the enabled BlueApp.

    BlueApps operate through a deployed sensor and use APIs to integrate with the connected third-party technology. Select the sensor that can access the integration endpoint. The HTTPS connections to the API will originate from this sensor, so it is important to make sure the sensor has network access to the BlueApp API endpoints.

  6. Enter your information into the following fields:

    • FortiGate Firewall IP Address/Host Name
    • Port (must be port 443)
    • FortiGate Access Token
  7. (Optional) Select Validate HTTPS host name and Require CA certificate checkboxes and enter the certificate authority (CA) certificate if you want to use this option.

  8. Click Save.
  9. Verify the connection.

    After USM Anywhere completes a successful connection to the FortiGate APIs, a icon displays in the Health column.

    If the icon displays, there is a problem with the connection. The Message column provides information about the issue. Repeat the steps to fix the configuration or troubleshoot your FortiGate connection.

Uploading a CA Certificate (Optional)

If you leave the Require CA Certificate checkbox deselected, the BlueApp uses the browser's default trust store. When you select the Require CA Certificate checkbox, the certificate entered in the CA Certificate field takes precedence and is the only certificate trusted by the client.

There are two major use cases that might require you to upload your own certificate in the CA Certificate field:

  • The firewall was deployed with a self-signed Secure Sockets Layer (SSL) certificate. A certificate like this is typically generated on the firewall at the time of deployment. In this case, you need to export that self-signed certificate from the firewall and paste it into the CA Certificate field.
  • You have deployed the firewall with a SSL certificate signed by your own CA. In this case, you need to import the root and intermediate certificates, if any, from your CA. This way, the BlueApp has the same trusted certificate chain that are deployed on your firewall.

Forwarding FortiGate Syslog Messages to USM Anywhere

To collect logs from Fortinet FortiGate, you can configure logging in Log & Report > Log Settings and send all the syslog messages to the USM Anywhere Sensor IP address. See Configure logging to other syslog servers for detailed instructions from the vendor.

Forwarding FortiAnalyzer Syslog Messages to USM Anywhere

If you use FortiGate FortiAnalyzer, you can also configure FortiAnalyzer to forward logs to the USM Anywhere Sensor IP address. See the FortiAnalyzer log forwarding guide for detailed instructions from the vendor.