This guide provides instructions to integrate FortiAnalyzer with Workbench via Signal From Anywhere (SFA).

The Fortinet FortiAnalyzer integration allows Expel to retrieve new and updated log events, normalize them, and produce a security signal. In addition, the integration allows investigative actions to be triggered to retrieve information for more effective triage and analysis.

Prerequisites

  • You must be an admin user with the super_admin profile, so that you are able to create a REST API administrator account.

Quick start

Setup includes the following steps (click any step for detailed instructions):

Step 1: Create a REST API administrator account in FortiAnalyzer

The REST API administrator account allows automated configuration, backup creation, and monitoring of the FortiGate.

  1. Log in to the FortiAnalyzer console and select your administrative domain (ADOM).

    The default ADOM is root.

  2. Click System Settings.

    Settings in FortiAnalyzer ADOM
  3. From the menu on the left, click Admin > Administrators.

    Drop-down with Admin settings
  4. From the Create New dropdown, select REST API Admin.

    Create Fortinet FortiAnalyzer REST API Admin
  5. Complete the Create New REST API Administrator form:

    • Add a meaningful User Name.

    • Select the Administrative Domain.

    • Set the Admin Profile to Restricted_User.

    • Set the JSON API Access to Read.

  6. Choose one of the following options depending on your configuration:

    • If you use an assembler (not-required), add the IP address of the assembler to the Trusted Hosts section.

    • If you do not use an assembler, add the following Expel IP addresses to the Trusted Hosts section:

      • 34.75.13.114

      • 34.75.152.7

      • 35.243.190.98

      • 104.196.158.205

      • 34.75.81.28

      • 34.75.210.18

  7. Click OK.

  8. Generate the API key:

    • Select the newly created user.

    • Click Regenerate > Generate.

    • Copy and save the API key to a safe location, as you will need it in a later section.

Step 2: Enable console access

Create a local administrator account that is necessary to enable console access.

  1. Still in System Settings, on the Administrators page, look for the Create New dropdown and select Administrator.

    Create Fortinet FortiAnalyzer Administrator
  2. Complete the Create New Administrator form:

    • Add a meaningful User Name.

    • Set the Admin Type to Local.

    • Create a Password.

    • Select the Administrative Domain.

    • Set the Admin Profile to Restricted_User.

    • Set the JSON API Access to None.

    • Toggle Trusted Hosts on.

  3. Choose one of the following options depending on your configuration:

    • If you use an assembler (not-required), add the IP address of the assembler to the Trusted Hosts section.

    • If you do not use an assembler, add the following Expel IP addresses to the Trusted Hosts section:

      • 34.75.13.114

      • 34.75.152.7

      • 35.243.190.98

      • 104.196.158.205

      • 34.75.81.28

      • 34.75.210.18

  4. Click OK.

Step 3: Configure FortiAnalyzer in Workbench

Now that you have the API key, you can integrate your technology with Workbench.

  1. Log in to Workbench.

  2. Navigate to Organization Settings > Security Devices.

  3. At the top of the page, click Add Security Device.

  4. Search for and select FortiAnalyzer.

  5. Specify where your device is hosted:

    • For Cloud, click Cloud.

    • For on-premise configurations, click On-prem, and specify the Assembler.

    Cloud and on-prem settings
  6. Type the following information:

    • Name: the name of the device.

    • Location: the geographic location of the device.

    • URL: your FortiAnalyzer fully qualified domain name (FQDN) or IP address, including https://.

    • API key: the key you generated in Step 1.

  7. Click Save.

  8. To provide Expel with console access, in the How will you access the console? section, select Set up now (recommended) and fill in the appropriate fields:

    • Console URL: the same as your FortiAnalyzer FQDN or IP Address in the previous step.

    • Username and Password: credentials you created in Step 2.

      Note
      Expel secures all login information our SOC analysts need about your devices in an MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.

  9. Click Save.