fortinet.py is a python script that provides an API level integration between Fortigate Firewalls and Cognito Detect.
Source hosts can be blocked by IP, either manually by specifying a tag or automatically based on Detect's Threat and
Certainty scores.
Destination IPs can be blocked based on Cognito Detection Type, or based on tagging a detection (Command & Control and
Exfiltration category detections only).
Python3, pyfortiapi==0.2.0, requests>=2.0.
Required modules are installed automatically when following the procedures outlined.
A Cognito Detect API key is required and can be generated by going to My Profile and Generating an API token.
Login credentials for your Fortigate with read and write access are required.
Manually clone or download using git, run install with pip3 to install required packages:
git clone https://github.com/vectranetworks/Fortinet-Groups.git
pip3 install -r requirements.txt
Edit the config.py file and adjust the required variables according to your environment. Multiple firewalls can be specified in the configuration file.
The following address groups will be created when required on the firewall:
'Cognito Blocked Destinations'
'Cognito Blocked Sources'
Be sure to create or update your firewall security policies accordingly to utilize the groups.
When ran, the script needs to be supplied one or more parameters. Examples:
python3 fortinet.py --block_host_tag block_fw
python3 fortinet.py --block_host_tag block_fw --unblock_host_tag unblock_fw --block_detection_type 'External Remote Access'
The --block_host_tag flag will query Detect for active hosts that have the specified tag and add their IPs to the 'Cognito Blocked Source' group on the firewall.
The --block_detection_type flag allows a detection type to be specified for which the destination IPs will be collected and added to the 'Cognito Blocked Destinations' group.
The --tc flag allows a Host's Threat and Certainty scoring thresholds to be utilized for automatic blocking of a host based on Cognito Detect's Threat and Certainty scores for the host. Flags can be combined to satisfy multiple use cases.
python3 fortinet.py --block_host_tc 90 90 --block_host_tag block_fw --unblock_host_tag unblock_fw --block_detection_type 'External Remote Access'
To test the desired use cases, run the fortinet.py script from the CLI for testing. To run in production, the script is designed to be called via a cron job.
python fortinet.py -h
usage: fortinet.py [-h] [--block_host_tag BLOCK_HOST_TAG]
[--block_host_tc BLOCK_HOST_TC BLOCK_HOST_TC]
[--block_detection_tag BLOCK_DETECTION_TAG]
[--block_detection_type BLOCK_DETECTION_TYPE]
[--unblock_host_tag UNBLOCK_HOST_TAG]
[--unblock_detection_tag UNBLOCK_DETECTION_TAG]
Add or remove hosts from dynamic block list.
optional arguments:
-h, --help show this help message and exit
--block_host_tag BLOCK_HOST_TAG
Poll for tagged hosts to block, eg --block_host_tag block
--block_host_tc BLOCK_HOST_TC BLOCK_HOST_TC
Poll for hosts with threat and certainty scores >= to block, eg --block_host_tc 50 50
--block_detection_tag BLOCK_DETECTION_TAG
Poll for tagged detections to block, eg --block_detection_tag block
--block_detection_type BLOCK_DETECTION_TYPE
Poll for detection types to block
--unblock_host_tag UNBLOCK_HOST_TAG
Poll for tagged hosts to unblock, eg --unblock_host_tag unblock
--unblock_detection_tag UNBLOCK_DETECTION_TAG
Poll for tagged detections to unblock, eg --unblock_detection_tag unblock
Example: python3 fortinet.py --block_host_tag block_fw --unblock_host_tag unblock_fw --block_detection_type 'External Remote Access'
- Carson Ham - Initial work
This project is licensed under the MIT License - see the LICENSE.md file for details