Professional Documents
Culture Documents
FortiEDR Fabric Integration Guide Rev2
FortiEDR Fabric Integration Guide Rev2
Integration Guide
Table of Contents
Chapter 1 – Overview ............................................................................................. 3
Chapter 2 – Using FortiEDR Syslog for Threat Visibility and Event Analysis .... 4
FortiEDR Syslog Configuration ............................................................................................................. 4
Chapter 3 – Using FortiEDR Connectors for Automated Incident Response and
Enhanced Detection ............................................................................................... 6
Prerequisites ........................................................................................................................................ 6
FortiGate Integration – Automatically Block Malicious Destinations ...................................................... 6
FortiSandbox Integration – Enhanced Detection................................................................................. 11
Appendix A – Creating a FortiEDR User with API Permissions ........................ 14
www.fortinet.com 2
FortiEDR Fabric Integration Guide
Chapter 1 – Overview
FortiEDR provides realtime endpoint security on top of next-generation AV (NGAV) and automated incident response. When
working synergistically with other elements of the Fortinet Security Fabric, it enhances network visibility and threat detection
and provides the means for synchronizing a coordinated response.
With its various export capabilities and rich REST APIs, FortiEDR enables easy integration with other Fortinet components.
This guide describes both Syslog and Connector integration methods and explains the configuration steps required while
focusing on two different use cases.
The following table summarizes FortiEDR integration options with various elements of the Fortinet Security Fabric.
FortiEDR FortiGate Forti Manager Forti Sandbox Forti NAC Forti Analyzer Forti SIEM Forti SOAR
Integration
Syslog V V V V
Connector V V V
www.fortinet.com 3
FortiEDR Fabric Integration Guide
6. Select the Syslog row and then use the sliders in the NOTIFICATIONS pane on the right to enable sending security
events.
www.fortinet.com 4
FortiEDR Fabric Integration Guide
7. Click the Settings button next to Security Events and then check the Syslog message fields of your choice.
8. Click Save. FortiEDR security events will now be sent as Syslog messages to the configured destination
server. For more details, refer to the FortiEDR Installation and Administration Guide.
www.fortinet.com 5
FortiEDR Fabric Integration Guide
Prerequisites
The following prerequisites are required to set up FortiEDR connectors:
• The FortiEDR deployment must include an on-premise Core that has connectivity to the FortiGate server.
• The FortiEDR Central Manager must have connectivity to Fortinet Cloud Services (FCS).
• A valid FortiEDR user with API permissions to FortiEDR is required. To define this user, refer to Appendix A, Creating a
FortiEDR User with API Permissions on page 14.
• A valid API user with access to FortiGate or FortiSandbox is required. Make sure that the IP of the on-premise FortiEDR
Core is specified as Trusted Hosts for this API user as shown below:
1 After the FortiGate Address Groups maximum value is reached, old group members are overridden by new ones.
www.fortinet.com 6
FortiEDR Fabric Integration Guide
FortiGate Configuration
1. Go to Policy & Objects Addresses.
2. Create a new address group to be populated by FortiEDR. The new address group now appears in the FortiGate
Addresses table.
www.fortinet.com 7
FortiEDR Fabric Integration Guide
• Enabled: true/false for enabling or disabling this connector’s incident response action.
• AirActionExecutingCoreName: The FortiEDR on-premise Core name entered during its installation. See the
Prerequisites section on page 6 for more details. You can locate the Core’s name in the INVENTORY SYSTEM
COMPONENTS page in the FortiEDR Console, as shown below:
www.fortinet.com 8
FortiEDR Fabric Integration Guide
• FortigateUser2: The FortiGate API user. See the Prerequisites section on page 6 for more details.
• FortigatePassword: The FortiGate API password. See the Prerequisites section on page 6 for more details.
• FortigateIpAddress: The IP address of the FortiGate server.
• FortigatePolicyGroupName: The name of the FortiGate address group that was previously defined. See the FortiGate
Configuration section on page 7 for more details.
For example, the following figures show the Authorization, Headers and Body of an API request that was sent using Postman
to the FortiEDR Central Manager with IP address 130.211.75.199 that is connecting to FortiGate with IP address
10.51.122.63:
2 Alternatively API token can be used instead of Fortigate user and password
www.fortinet.com 9
FortiEDR Fabric Integration Guide
www.fortinet.com 10
FortiEDR Fabric Integration Guide
www.fortinet.com 11
FortiEDR Fabric Integration Guide
• FortiSBUser: The FortiSandbox API user. See the Prerequisites section on page 6 for more details.
FortiSBPassword: The FortiSandbox API password. See the Prerequisites section on page 6 for more
details.
• FortiSBIpAddress: The IP address of the FortiSandbox server.
www.fortinet.com 12
FortiEDR Fabric Integration Guide
www.fortinet.com 13
FortiEDR Fabric Integration Guide
www.fortinet.com 14
FortiEDR Fabric Integration Guide
7. When prompted, change the initial password to a new permanent one. The new REST API user is now ready to perform
API calls using basic authentication by supplying its username and password for each API call.
www.fortinet.com 15