Follow

Fortigate HTTP Workaround

Connectivity

The Fortigate must be able to connect to:

  • https://panpolicies.threatstop.com (TCP port 443) for policy retrieval.

 

ThreatSTOP Admin Portal

Settings

During this step, you will create a device entry on the ThreatSTOP Admin Portal . You will select the PAN device type and enter your configuration settings.

To create a PAN-OS (HTTP) device entry:

  • Log into the Admin Portal with your ThreatSTOP account
  • Browse to the Device page and click Add Device
  • Select the Check Point model:
    • Type : IP Defense
    • Manufacturer : Palo Alto Networks
    • Model : PA Series
    • Integration Type : Configuration

admin_portal_device.png

 

  • Nickname : this is a mnemonic name used to identify the device. It can be set to any string (A-Z, 0-9, - and _). If you create multiple device entries, each entry must have a unique nickname. The Nickname will be used to identify the device in the admin device portal and in the Reporting user interface.
  • Policy : select a pre-defined policy or a customized policy(most Fortigate models are limited to ~15,000 IP’s). It must be an IP Defense Policy.

Note: It may take up to 30 minutes for a new policy to be available after creating it in the portal and assigning to a device.

  • IP Type : Access to the ThreatSTOP services is controlled in part using an ACL allowing the device IP to connect. If your device has a static public IP address (the most common case), select static. If your device has a dynamic public IP address, the ThreatSTOP services can lookup the IP address using a DNS fully-qualified name (FQDN).
  • External IP address : In static mode, this is the public IP address of the device. It is possible to configure multiple device entries with the same public IP address.
  • Domain name : (only if IP Type is Dynamic IP) In Dynamic mode, this is a DNS FQDN which must be kept up-to-date as an A record pointing to the device’s dynamic IP.
  • Note : An optional field to store a note of your choice about the device - location, identifiers, model…
  • Lines in block : The number of addresses in each External Connector, derived from the capacity of your device.

On the Fortigate GUI, select the “Security Fabric” tab, select “External Connectors”, create a new external connector and select “IP address”

aws_fortigate_policy_setup1.png

 

Add the ThreatSTOP Allow/Block 1-8 URL as the External Connector(s). (no username or password is required on the ThreatSTOP side, we use the name of policy and external IP address – so enter a dummy username and password on the Fortigate GUI)

  • Example Block URL: https://panpolicies.threatstop.com/TSServer-<001-008>-netb.Threa01.threatstop.local
  • Example Allow URL: https://panpolicies.threatstop.com/TSServer-<001-008>-neta.Threa01.threatstop.local

aws_fortigate_policy_setup2.png

 

Once the External Connector(s) has been created, verify that it has been populated and add it to the desired interfaces.

aws_fortigate_external_block.png

*Log uploads still require a TSCM to be formatted and uploaded to the ThreatSTOP Admin portal.*

Was this article helpful?
1 out of 1 found this helpful

Comments