Skip to main content

FortiGate

This Integration is part of the FortiGate Pack.#

Overview

Use the Fortinet FortiGate integration to manage firewall settings and groups.

We recommend that users have an API account that is set to root vdom in order to access all commands.

This integration was integrated and tested with FortiOS 5.6.8

Configure FortiGate on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for FortiGate.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Server URL (e.g. 192.168.0.1)
    • Account username
    • Account password
    • Trust any certificate (not secure)
    • Use system proxy settings
  4. Click Test to validate the URLs, username + password, and connection.

Commands

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Get all address objects from the firewall: fortigate-get-addresses
  2. Get information about service groups: fortigate-get-service-groups
  3. Update a service group: fortigate-update-service-group
  4. Delete a service group: fortigate-delete-service-group
  5. Get service information: fortigate-get-firewall-service
  6. Create a firewall service: fortigate-create-firewall-service
  7. Get firewall policy information: fortigate-get-policy
  8. Update a firewall policy: fortigate-update-policy
  9. Create a firewall policy: fortigate-create-policy
  10. Relocate a firewall policy: fortigate-move-policy
  11. Delete a firewall policy: fortigate-delete-policy
  12. Get information for address groups: fortigate-get-address-groups
  13. Update an address group: fortigate-update-address-group
  14. Create an address group: fortigate-create-address-group
  15. Delete an address group: fortigate-delete-address-group
  16. Add an address to a banned list: fortigate-ban-ip
  17. Clear a list of banned addresses: fortigate-unban-ip
  18. Get a list of banned addresses: fortigate-get-banned-ips
  19. Creates a new address object: fortigate-create-address
  20. Delete an address object: fortigate-delete-address

1. Get all address objects from the firewall


Returns all address objects from your firewall.

Base Command

fortigate-get-addresses

Input
Argument Name Description Required
address Filter by address (IP or domain) Optional
name Filter by address name Optional

Context Output
Path Type Description
Fortigate.Address.Name string Address name
Fortigate.Address.Subnet string Address subnet
Fortigate.Address.StartIP string Address object start IP address
Fortigate.Address.EndIP string Address object end IP address

Command Example
!fortigate-get-addresses
Context Example
Fortigate:{} 2 items
Address:[] 8 items
0:{} 4 items
EndIP:0.0.0.0
Name:FIREWALL_AUTH_PORTAL_ADDRESS
StartIP:0.0.0.0
Subnet:0.0.0.0-0.0.0.0
1:{} 4 items
EndIP:10.212.134.210
Name:SSLVPN_TUNNEL_ADDR1
StartIP:10.212.134.200
Subnet:10.212.134.200-10.212.134.210
2:{} 4 items
EndIP:0.0.0.0
Name:all
StartIP:0.0.0.0
Subnet:0.0.0.0-0.0.0.0
3:{} 4 items
EndIP:0.0.0.0
Name:autoupdate.opera.com
StartIP:0.0.0.0
Subnet:0.0.0.0-0.0.0.0
4:{} 4 items
EndIP:0.0.0.0
Name:google-play
StartIP:0.0.0.0
Subnet:0.0.0.0-0.0.0.0
5:{} 4 items
EndIP:255.255.255.255
Name:none
StartIP:0.0.0.0
Subnet:0.0.0.0-255.255.255.255
6:{} 4 items
EndIP:0.0.0.0
Name:swscan.apple.com
StartIP:0.0.0.0
Subnet:0.0.0.0-0.0.0.0
7:{} 4 items
EndIP:0.0.0.0
Name:update.microsoft.com
StartIP:0.0.0.0
Subnet:0.0.0.0-0.0.0.0
Human Readable Output

2. Get information about service groups


Returns information about FortiGate service groups.

Base Command

fortigate-get-service-groups

Input
Argument Name Description Required
name Filter by group name Optional

Context Output
Path Type Description
Fortigate.ServiceGroup.Name string Service group name
Fortigate.ServiceGroup.Members string Service group member name

Command Example
!fortigate-get-service-groups
Context Example
ServiceGroup:[] 5 items
0:{} 2 items
Members:[] 7 items
0:DNS
1:IMAP
2:IMAPS
3:POP3
4:POP3S
5:SMTP
6:SMTPS
Name:Email Access
1:{} 2 items
Members:[] 3 items
0:DCE-RPC
1:DNS
2:HTTPS
Name:Exchange Server
2:{} 2 items
Members:[] 1 item
0:SMB
Name:Maya
3:{} 2 items
Members:[] 3 items
0:DNS
1:HTTP
2:HTTPS
Name:Web Access
4:{} 2 items
Members:[] 7 items
0:DCE-RPC
1:DNS
2:KERBEROS
3:LDAP
4:LDAP_UDP
5:SAMBA
6:SMB
Name:Windows AD
Human Readable Output

3. Update a service group


Updates a FortiGate service group.

Base Command

fortigate-update-service-group

Input
Argument Name Description Required
groupName Group name of group to update Required
serviceName Service name to update from the group. If you specify data argument, the value does not matter. Required
data Pass a raw-data object (e.g., {'member': [{'name': 'Test'}]}), will override the service name argument. Optional

Context Output
Path Type Description
Fortigate.ServiceGroup.Name string Service group name
Fortigate.ServiceGroup.ServiceName string Service name
Fortigate.ServiceGroup.Action string Action taken on the updated service group

Command Example
!fortigate-update-service-group groupName=Maya serviceName=HTTP
Context Example
Fortigate:{} 2 items
AddressGroup:{} 3 items
ServiceGroup:{} 2 items
Member:{} 1 item
Name:[] 1 item
0:HTTP
Name:Maya

4. Delete a service group


Deletes a service group from FortiGate.

Base Command

fortigate-delete-service-group

Input
Argument Name Description Required
groupName Group name of the group to delete Required

Context Output
Path Type Description
Fortigate.ServiceGroup.Name string Service group name
Fortigate.ServiceGroup.Deleted boolean Whether the service group was deleted

Command Example
!fortigate-delete-service-group groupName="sdfsdf"
Context Example
Fortigate:{} 4 items
ServiceGroup:[] 6 items
5:{} 1 item
Name:sdfsdf
Deleted:true
Human Readable Output

5. Get service information


Returns information about a service from FortiGate Firewall.

Base Command

fortigate-get-firewall-service

Input
Argument Name Description Required
serviceName Service name Optional

Context Output
Path Type Description
Fortigate.Service.Name string Service name
Fortigate.Service.Ports.TCP string TCP port range included for the service
Fortigate.Service.Ports.UDP string UDP port range included for the service

Command Example
!fortigate-get-firewall-service
Context Example
Fortigate:{} 3 items
Address:[] 8 items
Service:[] 87 items
0:{} 2 items
Name:ALL
Ports:{} 2 items
TCP:
UDP:
1:{} 2 items
Name:ALL_TCP
Ports:{} 2 items
TCP:1-65535
UDP:
Human Readable Output

6. Create a firewall service


Creates a service in FortiGate firewall

Base Command

fortigate-create-firewall-service

Input
Argument Name Description Required
serviceName Service name Required
tcpRange TCP port range for the service, e.g., 100-120, or a single port Optional
udpRange UDP port range for the service, e.g., 100-120, or a single port Optional

Context Output
Path Type Description
Fortigate.Service.Name string Service name
Fortigate.Service.Ports.TCP string TCP port range included for the service
Fortigate.Service.Ports.UDP string UDP port range included for the service

Command Example
!fortigate-create-firewall-service serviceName=TEST1990 tcpRange=3 udpRange=4
Context Example
Fortigate:{} 2 items
AddressGroup:[] 5 items
Service:{} 2 items
Name:TEST1990
Ports:{} 2 items
TCP:3
UDP:4
Human Readable Output

7. Get policy information


Returns information about a firewall policy on FortiGate.

Base Command

fortigate-get-policy

Input
Argument Name Description Required
policyName Policy name Optional
policyID Policy ID Optional

Context Output
Path Type Description
Fortigate.Policy.Name string Policy name
Fortigate.Policy.ID string Policy ID
Fortigate.Policy.Description string Policy description
Fortigate.Policy.Status string The status of the policy (Enabled or Disabled)
Fortigate.Policy.Source string Source address
Fortigate.Policy.Destination string Destination address
Fortigate.Policy.Service string Service for the policy (e.g., HTTP)
Fortigate.Policy.Action string Policy action (Allow, Block)
Fortigate.Policy.Log string Does the policy log the traffic or not
Fortigate.Policy.Security string Policy attached security profile

Command Example
!fortigate-get-policy
Context Example
Fortigate:{} 4 items
Policy:[] 6 items
0:{} 10 items
Security:[] 3 items
0:certificate-inspection
1:default
2:single
Log:all
Name:allow_any_to_any
Destination:all
Status:enable
Service:ALL
Action:accept
Source:all
ID:6
Description:
1:{} 9 items
Log:disable
Name:Allow ICMP
Destination:all
Status:disable
Service:ALL_ICMP
Action:accept
Source:all
ID:1
Description:maya test policy
2:{} 9 items
Log:utm
Name:allow dns
Destination:all
Status:disable
Service:DNS
Action:accept
Source:all
ID:2
Description:
3:{} 9 items
Log:utm
Name:allow github
Destination:swscan.apple.com
Status:disable
Service:HTTP
Action:accept
Source:all
ID:3
Description:

8. Update a firewall


Updates a firewall policy on FortiGate.

Base Command

fortigate-update-policy

Input
Argument Name Description Required
policyID Policy ID Required
field Field parameter to update Required
value Value of the field parameter to update Required

Context Output
Path Type Description
Fortigate.Policy.Name string Policy name
Fortigate.Policy.ID string Policy ID
Fortigate.Policy.Description string Policy description
Fortigate.Policy.Status string The status of the policy (Enabled or Disabled)
Fortigate.Policy.Source string Source address
Fortigate.Policy.Destination string Destination address
Fortigate.Policy.Service string Service for the policy (e.g., HTTP)
Fortigate.Policy.Action string Policy action (Allow, Block)
Fortigate.Policy.Log boolean Does the policy log the traffic or not

Command Example
!fortigate-update-policy field=nat policyID=6 value=disable
Context Example
context:
Fortigate:{} 4 items
AddressGroup:[] 5 items
Policy:{} 11 items
Security:[] 3 items
0:certificate-inspection
1:default
2:single
NAT:disable
Log:all
Name:allow_any_to_any
Destination:all
Status:enable
Service:ALL
Action:accept
Source:all
ID:6

9. Create a firewall policy


Creates a firewall policy (rule) on FortiGate.

Base Command

fortigate-create-policy

Input
Argument Name Description Required
policyName Policy name Required
description Description for the policy Optional
sourceIntf Source interface (e.g., port1/port2/port3) Required
dstIntf Destination interface (e.g., port1/port2/port3) Required
source Source IP address, range or domain (e.g., all/update.microsoft.com) Required
destination Destination IP address, range or domain (e.g., all/update.microsoft.com) Required
service Service for the policy (e.g., HTTP) Required
action Action to take Required
status Policy status Optional
log Whether the policy will log the traffic Optional
schedule Recurring or one time schedule for the policy Required
nat Enable/disable NAT Optional

Context Output
Path Type Description
Fortigate.Policy.Name string Policy name
Fortigate.Policy.Description string Policy description
Fortigate.Policy.Status string The status of the policy (Enabled or Disabled)
Fortigate.Policy.Source.Address string Source address
Fortigate.Policy.Destination.Address string Destination address
Fortigate.Policy.Service string Service for the policy (e.g., HTTP)
Fortigate.Policy.Action string Policy action (Allow, Block)
Fortigate.Policy.Log boolean Does the policy log the traffic or not
Fortigate.Policy.Source.Intf string Source interface
Fortigate.Policy.Destination.Intf string Destination interface
Fortigate.Policy.Schedule string Policy schedule
Fortigate.Policy.NAT string Policy NAT

Command Example
!fortigate-create-policy action="accept" destination="all" dstIntf="port2" schedule=always policyName="LOLZ9" service="HTTP" source="all" sourceIntf="port2" status="enable" description="bloob" log="enable"
Context Example
Fortigate:{} 4 items
Policy:[] 7 items
0:{} 10 items
1:{} 9 items
2:{} 9 items
3:{} 9 items
4:{} 9 items
5:{} 9 items
6:{} 10 items
Security:g-default
Log:enable
Name:LOLZ9
Destination:{} 2 items
Address:all
Interface:port2
Status:enable
Service:HTTP
Action:accept
Schedule:always
Source:{} 2 items
Address:all
Interface:port2
Description:bloob
Human Readable Output

10. Relocate a firewall policy


Moves a firewall policy rule to a different position.

Base Command

fortigate-move-policy

Input
Argument Name Description Required
policyID Policy ID Required
position Position for the policy (before or after) Required
neighbor The ID of the policy being used as a positional anchor Required

Context Output
Path Type Description
Fortigate.Policy.ID string Policy ID
Fortigate.Policy.Moved boolean Was the policy moved successfully

Command Example
!fortigate-move-policy policyID=31 neighbour=33 position=after
Context Example
Fortigate:{} 1 item
Policy:{} 2 items
ID:26
Moved:true
Human Readable Output

11. Delete a firewall policy


Deletes a policy from FortiGate firewall.

Base Command

fortigate-delete-policy

Input
Argument Name Description Required
policyID Policy ID Required

Context Output
Path Type Description
Fortigate.Policy.ID string Policy ID
Fortigate.Policy.Moved boolean Was the policy deleted successfully

Command Example
!fortigate-delete-policy policyID=22
Context Example
Fortigate:{} 1 item
Policy:[] 2 items
1:{} 2 items
Deleted:true
ID:22
Human Readable Output

12. Get information for address groups


Returns information about address groups from FortiGate

Base Command

fortigate-get-address-groups

Input
Argument Name Description Required
groupName Filter by group name Optional

Context Output
Path Type Description
Fortigate.AddressGroup.Name string Address group name
Fortigate.AddressGroup.Member.Name string Address group member name
Fortigate.AddressGroup.UUID string Address group UUID

Command Example
!fortigate-get-address-groups groupName="Test address group"
Context Example
Fortigate:{} 1 item
AddressGroup:{} 3 items
Member:{} 1 item
Name:[] 2 items
0:autoupdate.opera.com
1:swscan.apple.com
Name:Test address group
UUID:f492fcec-ee51-51e8-83f1-1d451b04c051
Human Readable Output

13. Update an address group


Updates an address group on FortiGate firewall

Base Command

fortigate-update-address-group

Input
Argument Name Description Required
groupName Group name Required
address An address to add or remove from the group Required
data Pass a raw-data object (e.g., {'member': [{'name': 'Test'}]}), will override the address argument. Optional

Context Output
Path Type Description
Fortigate.AddressGroup.Name string Address group name
Fortigate.AddressGroup.Address string Address name

Command Example
!fortigate-update-address-group address=google-play groupName=YARDEN
Context Example
Fortigate:{} 1 item
AddressGroup:[] 5 items
0:{} 3 items
1:{} 2 items
2:{} 2 items
3:{} 3 items
4:{} 2 items
Address:google-play
Name:YARDEN
Human Readable Output

14. Create an address group


Creates an address group in FortiGate firewall.

Base Command

fortigate-create-address-group

Input
Argument Name Description Required
groupName Group name Required
address Address member to add to the group Required

Context Output
Path Type Description
Fortigate.AddressGroup.Name string Address group name
Fortigate.AddressGroup.Address string Address group member address

Command Example
!fortigate-create-address-group address=all groupName="YARDEN2"
Context Example
Fortigate:{} 1 item
AddressGroup:[] 2 items
0:{} 3 items
1:{} 2 items
Address:all
Name:YARDEN2
Human Readable Output

15. Delete an address group


Deletes an address group from FortiGate firewall

Base Command

fortigate-delete-address-group

Input
Argument Name Description Required
name Address group name Required

Context Output
Path Type Description
Fortigate.AddressGroup.Name string Address group name
Fortigate.AddressGroup.Deleted boolean Whether the address group was deleted

Command Example
!fortigate-delete-address-group name=YARDEN4
Context Example
Fortigate:{} 1 item
AddressGroup:[] 5 items
0:{} 3 items
1:{} 2 items
2:{} 2 items
3:{} 3 items
Address:all
Deleted:true
Name:YARDEN4

16. Add an address to a banned list


Adds an IP address to a banned list.

Base Command

fortigate-ban-ip

Input
Argument Name Description Required
ip_address CSV list of IP addresses to ban. IPv4 and IPv6 addresses are supported. For example, "1.1.1.1,6.7.8.9". Required
expiry Time until ban expires in seconds. 0 for indefinite ban. Optional

Context Output

There are no context outputs for this command.

Command Example
  !fortigate-ban-ip ip_address=8.8.8.8

17. Clears a list of banned addresses


Clears a list of specific banned IP addresses.

Base Command

fortigate-unban-ip

Input
Argument Name Description Required
ip_address CSV list of banned user IP addresses to clear. IPv4 and IPv6 addresses are supported. For example, "1.1.1.1,6.7.8.9". Required

Context Output

There are no context outputs for this command.

Command Example
  !fortigate-unban-ip ip_address=8.8.8.8 

18. Get a list of banned addresses


Returns a list of banned IP addresses.

Base Command

fortigate-get-banned-ips

Context Output
Path Type Description
Fortigate.BannedIP.IP string The IP address.
Fortigate.BannedIP.Created string Date/time the IP address was added to the banned list.
Fortigate.BannedIP.Expires string Date/time the IP address expires from the banned list.
Fortigate.BannedIP.Source string Source of the ban.

Command Example
  !fortigate-get-banned-ips 

19. Create an address object


Creates a new address object.

Base Command

fortigate-create-address

Input
Argument Name Description Required
name The address name Required
address The IP Address, example: 1.1.1.1 Optional
mask The address mask, example: 255.255.255.0 , Default is 255.255.255.255 Optional
fqdn The domain name, example: example.com Optional

Context Output
Path Type Description
Fortigate.Address.Name string The address name
Fortigate.Address.IPAddress string The IP address.
Fortigate.Address.FQDN string The domain name.

Command Example
!fortigate-create-address name=test address="1.1.1.1"
Context Example
Fortigate:{} 1 item
Address:[] 1 item
0:{} 2 items
1:{} 2 items
IPAddress:1.1.1.1/255.255.255.255
Name:test
Human Readable Output

FortiGate address test created successfully

IPAddress 1.1.1.1
Name test

20. Delete an address object


Deletes an existing address object.

Base Command

fortigate-delete-address

Input
Argument Name Description Required
name The address name Required

Context Output
Path Type Description
Fortigate.Address.Name string The address name
Fortigate.Address.Deleted string The address deletion status.

Command Example
!fortigate-delete-address name=test
Context Example
Fortigate:{} 1 item
Address:[] 1 item
0:{} 2 items
1:{} 2 items
Deleted:True
Name:test
Human Readable Output

FortiGate address test-address deleted successfully

Deleted true
Name test