FortiGate
This Integration is part of the FortiGate Pack.#
Overview
Use the Fortinet FortiGate integration to manage firewall settings and groups.
We recommend that users have an API account that is set to root vdom in order to access all commands.
This integration was integrated and tested with FortiOS 5.6.8
Configure FortiGate on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services .
- Search for FortiGate.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Server URL (e.g. 192.168.0.1)
- Account username
- Account password
- Trust any certificate (not secure)
- Use system proxy settings
- Click Test to validate the URLs, username + password, and connection.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Get all address objects from the firewall: fortigate-get-addresses
- Get information about service groups: fortigate-get-service-groups
- Update a service group: fortigate-update-service-group
- Delete a service group: fortigate-delete-service-group
- Get service information: fortigate-get-firewall-service
- Create a firewall service: fortigate-create-firewall-service
- Get firewall policy information: fortigate-get-policy
- Update a firewall policy: fortigate-update-policy
- Create a firewall policy: fortigate-create-policy
- Relocate a firewall policy: fortigate-move-policy
- Delete a firewall policy: fortigate-delete-policy
- Get information for address groups: fortigate-get-address-groups
- Update an address group: fortigate-update-address-group
- Create an address group: fortigate-create-address-group
- Delete an address group: fortigate-delete-address-group
- Add an address to a banned list: fortigate-ban-ip
- Clear a list of banned addresses: fortigate-unban-ip
- Get a list of banned addresses: fortigate-get-banned-ips
- Creates a new address object: fortigate-create-address
- Delete an address object: fortigate-delete-address
1. Get all address objects from the firewall
Returns all address objects from your firewall.
Base Command
fortigate-get-addresses
Input
| Argument Name | Description | Required |
|---|---|---|
| address | Filter by address (IP or domain) | Optional |
| name | Filter by address name | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Fortigate.Address.Name | string | Address name |
| Fortigate.Address.Subnet | string | Address subnet |
| Fortigate.Address.StartIP | string | Address object start IP address |
| Fortigate.Address.EndIP | string | Address object end IP address |
Command Example
!fortigate-get-addresses
Context Example
Fortigate:{} 2 items
Address:[] 8 items
0:{} 4 items
EndIP:0.0.0.0
Name:FIREWALL_AUTH_PORTAL_ADDRESS
StartIP:0.0.0.0
Subnet:0.0.0.0-0.0.0.0
1:{} 4 items
EndIP:10.212.134.210
Name:SSLVPN_TUNNEL_ADDR1
StartIP:10.212.134.200
Subnet:10.212.134.200-10.212.134.210
2:{} 4 items
EndIP:0.0.0.0
Name:all
StartIP:0.0.0.0
Subnet:0.0.0.0-0.0.0.0
3:{} 4 items
EndIP:0.0.0.0
Name:autoupdate.opera.com
StartIP:0.0.0.0
Subnet:0.0.0.0-0.0.0.0
4:{} 4 items
EndIP:0.0.0.0
Name:google-play
StartIP:0.0.0.0
Subnet:0.0.0.0-0.0.0.0
5:{} 4 items
EndIP:255.255.255.255
Name:none
StartIP:0.0.0.0
Subnet:0.0.0.0-255.255.255.255
6:{} 4 items
EndIP:0.0.0.0
Name:swscan.apple.com
StartIP:0.0.0.0
Subnet:0.0.0.0-0.0.0.0
7:{} 4 items
EndIP:0.0.0.0
Name:update.microsoft.com
StartIP:0.0.0.0
Subnet:0.0.0.0-0.0.0.0
Human Readable Output
2. Get information about service groups
Returns information about FortiGate service groups.
Base Command
fortigate-get-service-groups
Input
| Argument Name | Description | Required |
|---|---|---|
| name | Filter by group name | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Fortigate.ServiceGroup.Name | string | Service group name |
| Fortigate.ServiceGroup.Members | string | Service group member name |
Command Example
!fortigate-get-service-groups
Context Example
ServiceGroup:[] 5 items
0:{} 2 items
Members:[] 7 items
0:DNS
1:IMAP
2:IMAPS
3:POP3
4:POP3S
5:SMTP
6:SMTPS
Name:Email Access
1:{} 2 items
Members:[] 3 items
0:DCE-RPC
1:DNS
2:HTTPS
Name:Exchange Server
2:{} 2 items
Members:[] 1 item
0:SMB
Name:Maya
3:{} 2 items
Members:[] 3 items
0:DNS
1:HTTP
2:HTTPS
Name:Web Access
4:{} 2 items
Members:[] 7 items
0:DCE-RPC
1:DNS
2:KERBEROS
3:LDAP
4:LDAP_UDP
5:SAMBA
6:SMB
Name:Windows AD
Human Readable Output
3. Update a service group
Updates a FortiGate service group.
Base Command
fortigate-update-service-group
Input
| Argument Name | Description | Required |
|---|---|---|
| groupName | Group name of group to update | Required |
| serviceName | Service name to update from the group. If you specify data argument, the value does not matter. | Required |
| data | Pass a raw-data object (e.g., {'member': [{'name': 'Test'}]}), will override the service name argument. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Fortigate.ServiceGroup.Name | string | Service group name |
| Fortigate.ServiceGroup.ServiceName | string | Service name |
| Fortigate.ServiceGroup.Action | string | Action taken on the updated service group |
Command Example
!fortigate-update-service-group groupName=Maya serviceName=HTTP
Context Example
Fortigate:{} 2 items
AddressGroup:{} 3 items
ServiceGroup:{} 2 items
Member:{} 1 item
Name:[] 1 item
0:HTTP
Name:Maya
4. Delete a service group
Deletes a service group from FortiGate.
Base Command
fortigate-delete-service-group
Input
| Argument Name | Description | Required |
|---|---|---|
| groupName | Group name of the group to delete | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Fortigate.ServiceGroup.Name | string | Service group name |
| Fortigate.ServiceGroup.Deleted | boolean | Whether the service group was deleted |
Command Example
!fortigate-delete-service-group groupName="sdfsdf"
Context Example
Fortigate:{} 4 items
ServiceGroup:[] 6 items
5:{} 1 item
Name:sdfsdf
Deleted:true
Human Readable Output
5. Get service information
Returns information about a service from FortiGate Firewall.
Base Command
fortigate-get-firewall-service
Input
| Argument Name | Description | Required |
|---|---|---|
| serviceName | Service name | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Fortigate.Service.Name | string | Service name |
| Fortigate.Service.Ports.TCP | string | TCP port range included for the service |
| Fortigate.Service.Ports.UDP | string | UDP port range included for the service |
Command Example
!fortigate-get-firewall-service
Context Example
Fortigate:{} 3 items
Address:[] 8 items
Service:[] 87 items
0:{} 2 items
Name:ALL
Ports:{} 2 items
TCP:
UDP:
1:{} 2 items
Name:ALL_TCP
Ports:{} 2 items
TCP:1-65535
UDP:
Human Readable Output
6. Create a firewall service
Creates a service in FortiGate firewall
Base Command
fortigate-create-firewall-service
Input
| Argument Name | Description | Required |
|---|---|---|
| serviceName | Service name | Required |
| tcpRange | TCP port range for the service, e.g., 100-120, or a single port | Optional |
| udpRange | UDP port range for the service, e.g., 100-120, or a single port | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Fortigate.Service.Name | string | Service name |
| Fortigate.Service.Ports.TCP | string | TCP port range included for the service |
| Fortigate.Service.Ports.UDP | string | UDP port range included for the service |
Command Example
!fortigate-create-firewall-service serviceName=TEST1990 tcpRange=3 udpRange=4
Context Example
Fortigate:{} 2 items
AddressGroup:[] 5 items
Service:{} 2 items
Name:TEST1990
Ports:{} 2 items
TCP:3
UDP:4
Human Readable Output
7. Get policy information
Returns information about a firewall policy on FortiGate.
Base Command
fortigate-get-policy
Input
| Argument Name | Description | Required |
|---|---|---|
| policyName | Policy name | Optional |
| policyID | Policy ID | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Fortigate.Policy.Name | string | Policy name |
| Fortigate.Policy.ID | string | Policy ID |
| Fortigate.Policy.Description | string | Policy description |
| Fortigate.Policy.Status | string | The status of the policy (Enabled or Disabled) |
| Fortigate.Policy.Source | string | Source address |
| Fortigate.Policy.Destination | string | Destination address |
| Fortigate.Policy.Service | string | Service for the policy (e.g., HTTP) |
| Fortigate.Policy.Action | string | Policy action (Allow, Block) |
| Fortigate.Policy.Log | string | Does the policy log the traffic or not |
| Fortigate.Policy.Security | string | Policy attached security profile |
Command Example
!fortigate-get-policy
Context Example
Fortigate:{} 4 items
Policy:[] 6 items
0:{} 10 items
Security:[] 3 items
0:certificate-inspection
1:default
2:single
Log:all
Name:allow_any_to_any
Destination:all
Status:enable
Service:ALL
Action:accept
Source:all
ID:6
Description:
1:{} 9 items
Log:disable
Name:Allow ICMP
Destination:all
Status:disable
Service:ALL_ICMP
Action:accept
Source:all
ID:1
Description:maya test policy
2:{} 9 items
Log:utm
Name:allow dns
Destination:all
Status:disable
Service:DNS
Action:accept
Source:all
ID:2
Description:
3:{} 9 items
Log:utm
Name:allow github
Destination:swscan.apple.com
Status:disable
Service:HTTP
Action:accept
Source:all
ID:3
Description:
8. Update a firewall
Updates a firewall policy on FortiGate.
Base Command
fortigate-update-policy
Input
| Argument Name | Description | Required |
|---|---|---|
| policyID | Policy ID | Required |
| field | Field parameter to update | Required |
| value | Value of the field parameter to update | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Fortigate.Policy.Name | string | Policy name |
| Fortigate.Policy.ID | string | Policy ID |
| Fortigate.Policy.Description | string | Policy description |
| Fortigate.Policy.Status | string | The status of the policy (Enabled or Disabled) |
| Fortigate.Policy.Source | string | Source address |
| Fortigate.Policy.Destination | string | Destination address |
| Fortigate.Policy.Service | string | Service for the policy (e.g., HTTP) |
| Fortigate.Policy.Action | string | Policy action (Allow, Block) |
| Fortigate.Policy.Log | boolean | Does the policy log the traffic or not |
Command Example
!fortigate-update-policy field=nat policyID=6 value=disable
Context Example
context:
Fortigate:{} 4 items
AddressGroup:[] 5 items
Policy:{} 11 items
Security:[] 3 items
0:certificate-inspection
1:default
2:single
NAT:disable
Log:all
Name:allow_any_to_any
Destination:all
Status:enable
Service:ALL
Action:accept
Source:all
ID:6
9. Create a firewall policy
Creates a firewall policy (rule) on FortiGate.
Base Command
fortigate-create-policy
Input
| Argument Name | Description | Required |
|---|---|---|
| policyName | Policy name | Required |
| description | Description for the policy | Optional |
| sourceIntf | Source interface (e.g., port1/port2/port3) | Required |
| dstIntf | Destination interface (e.g., port1/port2/port3) | Required |
| source | Source IP address, range or domain (e.g., all/update.microsoft.com) | Required |
| destination | Destination IP address, range or domain (e.g., all/update.microsoft.com) | Required |
| service | Service for the policy (e.g., HTTP) | Required |
| action | Action to take | Required |
| status | Policy status | Optional |
| log | Whether the policy will log the traffic | Optional |
| schedule | Recurring or one time schedule for the policy | Required |
| nat | Enable/disable NAT | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Fortigate.Policy.Name | string | Policy name |
| Fortigate.Policy.Description | string | Policy description |
| Fortigate.Policy.Status | string | The status of the policy (Enabled or Disabled) |
| Fortigate.Policy.Source.Address | string | Source address |
| Fortigate.Policy.Destination.Address | string | Destination address |
| Fortigate.Policy.Service | string | Service for the policy (e.g., HTTP) |
| Fortigate.Policy.Action | string | Policy action (Allow, Block) |
| Fortigate.Policy.Log | boolean | Does the policy log the traffic or not |
| Fortigate.Policy.Source.Intf | string | Source interface |
| Fortigate.Policy.Destination.Intf | string | Destination interface |
| Fortigate.Policy.Schedule | string | Policy schedule |
| Fortigate.Policy.NAT | string | Policy NAT |
Command Example
!fortigate-create-policy action="accept" destination="all" dstIntf="port2" schedule=always policyName="LOLZ9" service="HTTP" source="all" sourceIntf="port2" status="enable" description="bloob" log="enable"
Context Example
Fortigate:{} 4 items
Policy:[] 7 items
0:{} 10 items
1:{} 9 items
2:{} 9 items
3:{} 9 items
4:{} 9 items
5:{} 9 items
6:{} 10 items
Security:g-default
Log:enable
Name:LOLZ9
Destination:{} 2 items
Address:all
Interface:port2
Status:enable
Service:HTTP
Action:accept
Schedule:always
Source:{} 2 items
Address:all
Interface:port2
Description:bloob
Human Readable Output
10. Relocate a firewall policy
Moves a firewall policy rule to a different position.
Base Command
fortigate-move-policy
Input
| Argument Name | Description | Required |
|---|---|---|
| policyID | Policy ID | Required |
| position | Position for the policy (before or after) | Required |
| neighbor | The ID of the policy being used as a positional anchor | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Fortigate.Policy.ID | string | Policy ID |
| Fortigate.Policy.Moved | boolean | Was the policy moved successfully |
Command Example
!fortigate-move-policy policyID=31 neighbour=33 position=after
Context Example
Fortigate:{} 1 item
Policy:{} 2 items
ID:26
Moved:true
Human Readable Output
11. Delete a firewall policy
Deletes a policy from FortiGate firewall.
Base Command
fortigate-delete-policy
Input
| Argument Name | Description | Required |
|---|---|---|
| policyID | Policy ID | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Fortigate.Policy.ID | string | Policy ID |
| Fortigate.Policy.Moved | boolean | Was the policy deleted successfully |
Command Example
!fortigate-delete-policy policyID=22
Context Example
Fortigate:{} 1 item
Policy:[] 2 items
1:{} 2 items
Deleted:true
ID:22
Human Readable Output
12. Get information for address groups
Returns information about address groups from FortiGate
Base Command
fortigate-get-address-groups
Input
| Argument Name | Description | Required |
|---|---|---|
| groupName | Filter by group name | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Fortigate.AddressGroup.Name | string | Address group name |
| Fortigate.AddressGroup.Member.Name | string | Address group member name |
| Fortigate.AddressGroup.UUID | string | Address group UUID |
Command Example
!fortigate-get-address-groups groupName="Test address group"
Context Example
Fortigate:{} 1 item
AddressGroup:{} 3 items
Member:{} 1 item
Name:[] 2 items
0:autoupdate.opera.com
1:swscan.apple.com
Name:Test address group
UUID:f492fcec-ee51-51e8-83f1-1d451b04c051
Human Readable Output
13. Update an address group
Updates an address group on FortiGate firewall
Base Command
fortigate-update-address-group
Input
| Argument Name | Description | Required |
|---|---|---|
| groupName | Group name | Required |
| address | An address to add or remove from the group | Required |
| data | Pass a raw-data object (e.g., {'member': [{'name': 'Test'}]}), will override the address argument. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Fortigate.AddressGroup.Name | string | Address group name |
| Fortigate.AddressGroup.Address | string | Address name |
Command Example
!fortigate-update-address-group address=google-play groupName=YARDEN
Context Example
Fortigate:{} 1 item
AddressGroup:[] 5 items
0:{} 3 items
1:{} 2 items
2:{} 2 items
3:{} 3 items
4:{} 2 items
Address:google-play
Name:YARDEN
Human Readable Output
14. Create an address group
Creates an address group in FortiGate firewall.
Base Command
fortigate-create-address-group
Input
| Argument Name | Description | Required |
|---|---|---|
| groupName | Group name | Required |
| address | Address member to add to the group | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Fortigate.AddressGroup.Name | string | Address group name |
| Fortigate.AddressGroup.Address | string | Address group member address |
Command Example
!fortigate-create-address-group address=all groupName="YARDEN2"
Context Example
Fortigate:{} 1 item
AddressGroup:[] 2 items
0:{} 3 items
1:{} 2 items
Address:all
Name:YARDEN2
Human Readable Output
15. Delete an address group
Deletes an address group from FortiGate firewall
Base Command
fortigate-delete-address-group
Input
| Argument Name | Description | Required |
|---|---|---|
| name | Address group name | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Fortigate.AddressGroup.Name | string | Address group name |
| Fortigate.AddressGroup.Deleted | boolean | Whether the address group was deleted |
Command Example
!fortigate-delete-address-group name=YARDEN4
Context Example
Fortigate:{} 1 item
AddressGroup:[] 5 items
0:{} 3 items
1:{} 2 items
2:{} 2 items
3:{} 3 items
Address:all
Deleted:true
Name:YARDEN4
16. Add an address to a banned list
Adds an IP address to a banned list.
Base Command
fortigate-ban-ip
Input
| Argument Name | Description | Required |
|---|---|---|
| ip_address | CSV list of IP addresses to ban. IPv4 and IPv6 addresses are supported. For example, "1.1.1.1,6.7.8.9". | Required |
| expiry | Time until ban expires in seconds. 0 for indefinite ban. | Optional |
Context Output
There are no context outputs for this command.
Command Example
!fortigate-ban-ip ip_address=8.8.8.8
17. Clears a list of banned addresses
Clears a list of specific banned IP addresses.
Base Command
fortigate-unban-ip
Input
| Argument Name | Description | Required |
|---|---|---|
| ip_address | CSV list of banned user IP addresses to clear. IPv4 and IPv6 addresses are supported. For example, "1.1.1.1,6.7.8.9". | Required |
Context Output
There are no context outputs for this command.
Command Example
!fortigate-unban-ip ip_address=8.8.8.8
18. Get a list of banned addresses
Returns a list of banned IP addresses.
Base Command
fortigate-get-banned-ips
Context Output
| Path | Type | Description |
|---|---|---|
| Fortigate.BannedIP.IP | string | The IP address. |
| Fortigate.BannedIP.Created | string | Date/time the IP address was added to the banned list. |
| Fortigate.BannedIP.Expires | string | Date/time the IP address expires from the banned list. |
| Fortigate.BannedIP.Source | string | Source of the ban. |
Command Example
!fortigate-get-banned-ips
19. Create an address object
Creates a new address object.
Base Command
fortigate-create-address
Input
| Argument Name | Description | Required |
|---|---|---|
| name | The address name | Required |
| address | The IP Address, example: 1.1.1.1 | Optional |
| mask | The address mask, example: 255.255.255.0 , Default is 255.255.255.255 | Optional |
| fqdn | The domain name, example: example.com | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Fortigate.Address.Name | string | The address name |
| Fortigate.Address.IPAddress | string | The IP address. |
| Fortigate.Address.FQDN | string | The domain name. |
Command Example
!fortigate-create-address name=test address="1.1.1.1"
Context Example
Fortigate:{} 1 item
Address:[] 1 item
0:{} 2 items
1:{} 2 items
IPAddress:1.1.1.1/255.255.255.255
Name:test
Human Readable Output
FortiGate address test created successfully
| IPAddress | 1.1.1.1 |
| Name | test |
20. Delete an address object
Deletes an existing address object.
Base Command
fortigate-delete-address
Input
| Argument Name | Description | Required |
|---|---|---|
| name | The address name | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Fortigate.Address.Name | string | The address name |
| Fortigate.Address.Deleted | string | The address deletion status. |
Command Example
!fortigate-delete-address name=test
Context Example
Fortigate:{} 1 item
Address:[] 1 item
0:{} 2 items
1:{} 2 items
Deleted:True
Name:test
Human Readable Output
FortiGate address test-address deleted successfully
| Deleted | true |
| Name | test |