Connectivity
The Fortigate must be able to connect to:
- https://panpolicies.threatstop.com (TCP port 443) for policy retrieval.
ThreatSTOP Admin Portal
Settings
During this step, you will create a device entry on the ThreatSTOP Admin Portal . You will select the PAN device type and enter your configuration settings.
To create a PAN-OS (HTTP) device entry:
- Log into the Admin Portal with your ThreatSTOP account
- Browse to the Device page and click Add Device
- Select the Check Point model:
- Type : IP Defense
- Manufacturer : Palo Alto Networks
- Model : PA Series
- Integration Type : Configuration
- Nickname : this is a mnemonic name used to identify the device. It can be set to any string (A-Z, 0-9, - and _). If you create multiple device entries, each entry must have a unique nickname. The Nickname will be used to identify the device in the admin device portal and in the Reporting user interface.
- Policy : select a pre-defined policy or a customized policy(most Fortigate models are limited to ~15,000 IP’s). It must be an IP Defense Policy.
Note: It may take up to 30 minutes for a new policy to be available after creating it in the portal and assigning to a device.
- IP Type : Access to the ThreatSTOP services is controlled in part using an ACL allowing the device IP to connect. If your device has a static public IP address (the most common case), select static. If your device has a dynamic public IP address, the ThreatSTOP services can lookup the IP address using a DNS fully-qualified name (FQDN).
- External IP address : In static mode, this is the public IP address of the device. It is possible to configure multiple device entries with the same public IP address.
- Domain name : (only if IP Type is Dynamic IP) In Dynamic mode, this is a DNS FQDN which must be kept up-to-date as an A record pointing to the device’s dynamic IP.
- Note : An optional field to store a note of your choice about the device - location, identifiers, model…
- Lines in block : The number of addresses in each External Connector, derived from the capacity of your device.
On the Fortigate GUI, select the “Security Fabric” tab, select “External Connectors”, create a new external connector and select “IP address”
Add the ThreatSTOP Allow/Block 1-8 URL as the External Connector(s). (no username or password is required on the ThreatSTOP side, we use the name of policy and external IP address – so enter a dummy username and password on the Fortigate GUI)
- Example Block URL: https://panpolicies.threatstop.com/TSServer-<001-008>-netb.Threa01.threatstop.local
- Example Allow URL: https://panpolicies.threatstop.com/TSServer-<001-008>-neta.Threa01.threatstop.local
Once the External Connector(s) has been created, verify that it has been populated and add it to the desired interfaces.
*Log uploads still require a TSCM to be formatted and uploaded to the ThreatSTOP Admin portal.*
Comments