Add Fortinet devices

Relevant for: AFA Administrators

This topic describes how Fortinet FortiManager and FortiGate devices are connected to AFA.

In this topic:

Fortinet network connections

The following image shows an ASMS Central Manager or Remote Agent connected to Fortinet FortiManager and FortiGate devices.

The following image shows an ASMS Central Manager or Remote Agent connected to FortiGate devices.

Back to top

FortiManager device permissions

ASMS requires the following permissions when connecting to FortiManager devices:

Back to top

FortiGate device permissions

AFA requires read-only permissions to connect to Fortigate devices.

In the FortiGate web interface, in the Admin Profile configuration > Access Control, select an option that is at least read-only.

• If device configuration consists of VDOMs, the user must be configured with set scope global. Users configured with set scope vdom are not supported for AFA.
• If the FortiGate device is defined directly in AFA as opposed to via a FortiManager device, AFA does not support a user defined only on the managing FortiManager.

Back to top

Add a Fortinet FortiManager device to AFA

This procedure describes how to add a Fortinet FortiManager device to AFA.

Do the following:

1. Access the Devices Setup page. For details, see Access the DEVICES SETUP page.
2. In the vendor and device selection page, select Fortinet > FortiManager.

3. Complete the fields as needed.

   Access Information

   Host	Enter the host name or IP address of the device.
   User Name	Enter the user name to use for accessing the device. This user name must be a super-user. If Administrative Domains (ADOMs) are used: To analyze only devices under a specific ADOM, specify a specific ADOM's administrator credentials. To analyze all devices under all ADOMs, provide the credentials of a global administrator. When analyzing devices as a global administrator, no other action is required. Otherwise, some manual configuration may be required. Contact AlgoSec support for more information.
   Password	Enter the password to use for accessing the device.
   Connect via	For FortiManager version 5.2.3 and above, select REST. (SSH/SOAP is no longer supported). FortiManager versions earlier than 5.2.3 are not supported. You must enable the relevant web service on the device itself. For more details, see Enable the relevant API in the FortiNet FortiManager device. .
   Custom Port	To specify a custom port, select this option and type the port. This option is only relevant when REST is selected.

   The following fields are relevant only when CyberArk is configured. For details, see Integrate ASMS and CyberArk.

   Retrieve credentials from CyberArk vault	Select this check box to authenticate the device with a CyberArk Vault instead of saving the device credentials on the AlgoSec server.
   Platform (Policy ID)	Enter the Platform for this device which will be authenticated via CyberArk.
   Safe	Enter the safe for this device which will be authenticated via CyberArk.
   Folder	Enter the folder for this device which will be authenticated via CyberArk.
   Object	Enter this device's CyberArk Object.

   Close ⌃
   Geographic Distribution

   Select the remote agent that should perform data collection for the device.

   To specify that the device is managed locally, select Central Manager.

   This field is relevant when a Geographic Distribution architecture is configured. For more details, see Configure a distributed architecture.

   Close ⌃
   ActiveChange

   Select Enable ActiveChange to enable FireFlow to implement changes on the device.

   For more details, see Implement changes with ActiveChange.

   Close ⌃
   Log Collection and Monitoring

   For AFA to process logs from the devices managed by the FortiManager device you are adding, you may need to specify additional device identifiers.

   This is relevant when the sub-device is represented by multiple or non-standard device identifiers. For example, this may be relevant for firewall clusters or non-standard logging settings.

   For more details, see Add additional device identifiers for sub-systems.

   Define the following values:

   Log collection method	Specify whether AFA should collect logs for the device, by selecting one of the following: None: Do not collect logs. Standard: Enable log collection. Extensive: Enable log collection and the Intelligent Policy Tuner. The default value is Extensive.
   Syslog-ng server	If you selected Standard or Extensive in the Log collection method field, you must specify the syslog-ng server. For details, see Specify a Syslog server. Tip: Alternately, see Configure your FortiManager to forward syslog messages to AFA.
   Log collection frequency	Enter the interval of time in minutes, at which AFA should collect logs for the device.

   Close ⌃

4. If you enabled ActiveChange, the ActiveChange License Agreement dialog is displayed.

   Select I Agree and click OK.

5. Click Next to continue to the Fortinet FortiManager Step 2/2 page.

   This page lists all the devices that are managed by the FortiManager, including standalone devices and virtual systems.

6. Optional: Configure AFA to use logs created by a managed device or virtual system

   To specify that AFA should use the logs created by a managed device / virtual system, do the following:

   1. In the Add Device column, select the check box next to the device's name.

   2. In the Log Analysis column, select one of the following:

      • None to disable logging.
      • Standard to enable logging
      • Extensive to enable logging and the Intelligent Policy Tuner.

      Note: Using the device's logs enables AFA to detect certain policy optimization information, such as unused rules. This information is displayed in the Policy Optimization section of the AFA report.

   Close ⌃
7. Optional: Enable generation of baseline compliance reports

   To enable generation of baseline compliance reports, do the following:

   1. Click .

   2. In the Direct Access Configuration, enter the following details, and then click OK.

      Host IP	Type the IP address of the device.
      User Name	Type the user name to access the device.
      Password	Type the password to access the device.
      Baseline Profile	Select the baseline compliance profile to use. The drop-down list includes all baseline compliance profiles in the system. For more details, see Customize baseline configuration profiles. To disable Baseline Compliance Report generation for this device, select None.
      Test Connectivity	Click this button to test connectivity to the defined device. A message informs you whether AFA connected to the device successfully.

   Note: Specifying this information for a device triggers a direct SSH connection to the device.

   Close ⌃

8. Select the remaining options as needed:

   Real-time change monitoring	Select this option to enable real-time alerting upon configuration changes. For details, see Configure real-time monitoring.
   Set user permissions	Select this option to set user permissions for this device.

9. Click Finish.

   The new device is added to the device tree, and appears with a three tier hierarchy: FortiManager, FortiGate and VDOM.

10. If you selected Set user permissions, the Edit users dialog box appears.

    In the list of users displayed, select one or more users to provide access to reports for this account.

    To select multiple users, press the CTRL button while selecting.

    Click OK to close the dialog.

    A success message appears to confirm that the device is added.

11. Enable the relevant API in the FortiNet FortiManager device.

    Do the following:

    1. Log in to the FortiManager Web interface, and navigate to the System Settings > Network settings.

    2. Configure one of the following, depending on your FortiManager device version:

       FortiManager versions 5.2.3 and higher	Connect via REST. (SSH/SOAP is not supported) Under System Settings > Network > Management Interface > Administrative Access, select: HTTPS Web Service
       FortiManager versions earlier than 5.2.3	FortiManager versions earlier than 5.2.3 are not supported.

Back to top

Add a Fortinet FortiGate device to AFA

This procedure describes how to add a FortiGate device to AFA.

Do the following:

1. Access the Devices Setup page. For details, see Access the DEVICES SETUP page.
2. In the vendor and device selection page, select Fortinet > FortiGate.

3. Complete the fields as needed, and then click Finish.

   Access Information

   Host	Type the host name or IP address of the device.
   User Name	Type the user name to use for SSH access to the device.
   Password	Type the password to use for SSH access to the device.

   Close ⌃
   Geographic Distribution

   Select the remote agent that should perform data collection for the device.

   To specify that the device is managed locally, select Central Manager.

   This field is relevant when a Geographic Distribution architecture is configured. For more details, see Configure a distributed architecture.

   Close ⌃
   Baseline Compliance Configuration

   To enable generation of Baseline Compliance Reports for this device, select the baseline compliance profile to use.

   The drop-down list includes all baseline compliance profiles in the system. For more details, see Customize baseline configuration profiles.

   To disable Baseline Compliance Report generation for this device, select None.

   Close ⌃
   Route Collection

   Specify how AFA should acquire the device's routing information:

   • Automatic. AFA will automatically generate the device's routing information upon analysis or monitoring.
   • Static Routing Table (URT). AFA will take the device's routing information from a static file you provide. For more details, see Specify routing data manually.

   Close ⌃
   Remote Management Capabilities

   Select a data collection method:

   • SSH (more secure)
   • Telnet

   Then define the following:

   Custom Port

   To specify a custom port, select this option and type the port. This option is only relevant when SSH is selected.

   Number of allowed encryption keys

   Enter the permitted number of different RSA keys received from this device's IP address. Different RSA keys may be sent from the same IP address in cases of cluster fail-over, device operating system upgrades, etc. For example, if a cluster fail-over occurs, the secondary node will send a new RSA key from the same IP address to AFA. If this number is set to 1, the connection to the node will fail, resulting in a failed analysis.

   Close ⌃
   Log Collection and Monitoring

   Log collection method	Specify whether AFA should collect logs for the device, by selecting one of the following: None: Do not collect logs. Standard: Enable log collection. Extensive: Enable log collection and the Intelligent Policy Tuner. The default value is Extensive.
   Syslog-ng server	If you selected Standard or Extensive in the Log collection method field, you must specify the syslog-ng server. For details, see Specify a Syslog server.
   Additional firewall identifiers	Enter any additional IP addresses or host names that identify the device. When adding multiple entries, separate values with a colon (:). For example: 1.1.1.1:2.2.2.2:ServerName. This is relevant when the device is represented by multiple or non-standard device identifiers in the logs, for example, in cases of firewall clusters or non-standard logging settings. If AFA receives logs with an identifier it does not recognize, the logs will not be processed. Note: This field is only relevant for the parent device. For more details, see Add additional device identifiers for sub-systems.
   Log collection frequency	Enter the interval of time in minutes, at which AFA should collect logs for the device.

   Close ⌃
   Options

   Real-time change monitoring	Select this option to enable real-time alerting upon configuration changes. For details, see Configure real-time monitoring.
   Set user permissions	Select this option to set user permissions for the device.

   Close ⌃

   The new device is added to the device tree with a two tier hierarchy: FortiGate and VDOM.

4. If you selected Set user permissions, the Edit users dialog box appears.

   In the list of users displayed, select one or more users to provide access to reports for this account.

   To select multiple users, press the CTRL button while selecting.

   Click OK to close the dialog.

A success message appears to confirm that the device is added.

Back to top

Configure one-armed mode manually

AFA automatically identifies Fortinet devices in one-armed mode when the device has a single interface, or a single one non-management interface. If your device has multiple non-management interfaces and one-armed mode is not identified automatically, configure this for your device manually.

Do the following:

1. On the AFA machine, access your device configuration meta file as follows:

   /home/afa/.fa/firewalls/<device_name>/fwa.meta

   where <device_name> is the name of the device listed. If you device is listed multiple times, enter the longer name.

2. On a new line, enter:

   is_steering_device=yes

3. Run an analysis on the device to update the device data in AFA.

Back to top