It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda XDR

Setting up SOAR for FortiGate Firewall

  • Last updated on

The documentation below outlines the requirements for the Barracuda XDR Security Orchestration, Automation, and Response (SOAR). When you've set this up, all required data is uploaded to the Customer Security Dashboard in the SOAR Settings > Firewalls section.

Prerequisites

To configure SOAR for FortiGate Firewall, you will need to know the following:

  • Ensure the FortiGate is on a version that supports API v2 (FortiOS 5.6.3 or later).

  • Provide the External IP Address of the FortiGate Firewall

To set up SOAR for FortiGate Firewall, you must do the following:

If you are setting up SOAR for a Fortigate Firewall that is on the latest firmware version of 7.4.5+, follow these instructions to ensure that access tokens are not blocked.

To create an Administrator profile
  1. In FortiGate Firewall, click System > Admin Profiles > Create New.

  2. Create a new profile called Barracuda XDR API Admin.

  3. In the Access Permissions table, under Access Control, click the Custom icon next to Firewall, then do the following:

    • Next to Policy, select Read/Write.

    • Next to Address, select Read/Write.

      Fortigate1.png

  4. Slide  Override Idle Timeout to On. Then slide Never Timeout to On.

    SOARFortigateNeverTimeout.png

  5. Make a note of the profile name, to use when you create the REST API Admin.

  6. Click OK.

To create a REST API Admin and generate an API token
  1. In FortiGate Firewall, navigate to System > Administrators > Create New > REST API Admin.

  2. In Username, type the username Barracuda XDR API Admin and select the Administrator Profile you created in Create an Administrator Profile, Barracuda XDR API Admin.

    SOARFortigateAdminProfile.png

  3. In the Restrict logins to Trusted Hosts section, do the following:

    • Slide the Trusted Hosts slider to on.

    • Type the IP addresses 35.155.74.247 and 44.239.173.232 as trusted hosts so the authentication is successful from the Barracuda side to be able to implement the IP Blocking.
      NOTE Adding both 35.155.74.247 and 44.239.173.232 as trusted hosts is necessary so the authentication is successful from the Barracuda side to be able to implement the IP Blocking

  4. Click OK.
    NOTE An API token is generated.

  5. Make a note of the API token.

    SOARFortigateAPIToken.png


    NOTE The token is only shown once and cannot be retrieved.

  6. Click Close.

  7. Send the API Token to the Barracuda XDR team.

Ensure the REST API admin can authenticate to the firewall. If you are restricting admin logins to only certain networks, you must add the SOAR IP (35.155.74.247 & 44.239.173.232) as a trusted host to the administrator account.

To obtain the HTTPS port number for API calls
  1. If you are not using the default port (Port 443), for administrative access, please copy the correct port  and the external IP address from the URL. For example, https://<IP Address>:<port>,.

  2. The port can be found in the URL along with the external IP address. For example, https://<IP Address>:<port>, where <IP Address> is the external IP address and <port> is the port to use for administrative access.

  3. Provide the port number to the Barracuda XDR team.

To create an Address Group

Next, create an Address Group called Barracuda_XDR_Blocked_IPs. Barracuda XDR uses this group to automatically block IPs on the firewall. Add this group to any preexisting firewall policies that block traffic to/from anomalous IP addresses.

  1. In the left navigation menu, click Policy & Objects > Addresses.

  2. Click Create New > Address Group.

  3. In Group Name, type Barracuda_XDR_Blocked_IPs.

  4. In Type, select Group.

  5. Click OK.

    Fortigate4.png

  6. Send the Address Group name to the Barracuda XDR team.

Enable HTTPS on the WAN Interface

Admin access from the WAN interface is required for XDR to have remote access to the firewall device. You can manage these settings by navigating to Network > Interfaces and adjusting the administrative access to the interface.

HTTP.png

To configure XDR Dashboard
  1. In Barracuda XDR Dashboard, click SOAR Settings > Firewalls.

    SOARCloudGenDash.png

  2. Click Config.

  3. In the Edit Config dialog box, enter the following:

    • External IP

    • API Access Port 

    • Credential (API Key)

    • Group Name

      SOARFortigateEditConfig.png
  4. Click Save.

If you need to edit the configuration at any time, follow the Editing XDR SOAR Settings for a Firewall procedure.