FortiGate Integration Guide

Overview

The FortiGate integration allows your NINA workflows to connect with Fortinet FortiGate firewalls for automated security operations. This integration enables you to manage firewall policies, block malicious IPs and domains, isolate compromised devices, and maintain address groups directly from your security automation workflows.

FortiGate is Fortinet's next-generation firewall platform that provides comprehensive network security including firewall, intrusion prevention, web filtering, and VPN capabilities. The NINA integration provides a streamlined way to automate firewall security operations and incident response actions.

Status

Currently, our integration supports comprehensive management of core FortiGate firewall operations:

IP Address Management

• IP Blocking: Create firewall address objects to block specific IPs or subnets
• IP Unblocking: Remove IP address objects to restore access
• Address Listing: Query all firewall address objects with filtering
• Address Details: Retrieve detailed information about specific address objects

Domain Filtering

• DNS Filtering: Block domains using DNS filter profiles
• Web Filtering: Block URLs and domains using web filter profiles
• Filter Management: Create, update, and manage DNS and web filter profiles
• Domain Unblocking: Remove domains from blocklists
• Filter Listing: Query all blocked domains across DNS and web filters

Firewall Policy Management

• Policy Creation: Create comprehensive firewall policies with source/destination addresses, interfaces, services, and actions
• Policy Updates: Modify existing firewall policies (status, comments, etc.)
• Policy Deletion: Remove firewall policies when no longer needed
• Policy Retrieval: Get details of specific policies or list all policies
• Policy Ordering: Adjust policy precedence by moving policies relative to others

Address Group Management

• Group Creation: Create address groups to organize multiple address objects
• Member Management: Add or remove address objects from groups
• Group Listing: Query all address groups with filtering
• Group Deletion: Remove address groups (members remain intact)

Device Isolation

• Isolate Devices: Block all network access from compromised devices
• Unisolate Devices: Restore network access to previously isolated devices
• Isolation Tracking: List all currently isolated devices

Our integration does not yet support several advanced FortiGate capabilities, including but not limited to:

• VPN Management: IPsec, SSL VPN, and tunnel configuration
• Security Profiles: IPS, antivirus, application control, and SSL inspection profiles
• SD-WAN: Software-defined WAN configuration and policies
• User Authentication: User identity, authentication policies, and SSO integration
• High Availability: HA cluster configuration and failover management
• System Configuration: VLAN, routing, interface, and general system settings
• Logging and Monitoring: Log forwarding, syslog, and analytics configuration
• Threat Intelligence: FortiGuard integration and threat feed management
• VoIP and Video: Application-specific security profiles
• Wireless Controller: WiFi access point and controller management

For a comprehensive list of FortiGate capabilities, refer to the official FortiGate REST API documentation.

Credential Configuration

Before using the FortiGate integration in your workflows, you need to configure credentials for authentication.

Authentication Method

The FortiGate integration uses API Token authentication:

Field	Description	Example
API Token	FortiGate REST API token	hfQn5z7kpbxG9m4tW2cR8v
Management URL	FortiGate management interface URL	https://192.168.1.99:443
Insecure SSL	Skip SSL certificate verification (dev/testing only)	false
VDOM	Virtual Domain name	root

Creating an API Token in FortiGate

1. Log in to your FortiGate web interface
2. Navigate to System → Administrators
3. Click Create New → REST API Admin
4. Configure the API administrator:
   • Username: Enter a descriptive name (e.g., "nina-automation")
   • Administrator Profile: Select "Super_Admin" or create a custom profile with required permissions
   • CORS Allow Origin: Leave blank or specify if needed
   • Trusted Hosts: Add the IP addresses of your NINA servers (or 0.0.0.0/0 for testing)
   • PKI Group: Leave default unless using certificate authentication
5. Click OK
6. The system will display the API token once - copy and save it securely
7. Note: The token will not be shown again, so store it safely

Required Permissions for API Administrator Profile:

For full integration functionality, the API administrator needs these permissions:

• Firewall: Read/Write permissions for address objects, address groups, and policies
• Policy & Objects: Read/Write access to firewall objects and policies
• DNS Filter: Read/Write access to DNS filter profiles
• Web Filter: Read/Write access to web filter profiles

You can create a custom administrator profile with limited permissions based on your security requirements.

Finding Your Management URL

The Management URL is the HTTPS URL you use to access the FortiGate web interface:

• Local network: https://192.168.1.99:443 (replace with your FortiGate IP)
• External access: https://firewall.company.com (if configured with DNS name)
• Non-standard port: Include the port number if not using 443

Important: Always use HTTPS for production environments. HTTP is not supported for security reasons.

Virtual Domains (VDOMs)

FortiGate supports Virtual Domains for multi-tenancy:

• Single VDOM mode: Use root (default)
• Multi-VDOM mode: Specify the VDOM name (e.g., production, development)
• VDOM requirement: The API token must have access to the specified VDOM

To find your VDOM configuration:

1. Navigate to Global → System → VDOM
2. Check if VDOMs are enabled and note the VDOM names

Creating a FortiGate Credential in NINA

1. Navigate to the Credentials section in NINA

2. Click Add New Credential

3. Fill in the credential details:

   • Name: A descriptive name (e.g., "FortiGate Production Firewall")
   • Description: Optional details about the credential's purpose
   • Integration Service: Select "FortiGate"
   • Auth Type: "API Token" (automatically selected)
   • API Token: Enter the token generated in FortiGate
   • Management URL: Enter your FortiGate management URL
   • Insecure SSL: Leave unchecked (false) for production; check only for testing with self-signed certificates
   • VDOM: Enter the Virtual Domain name (default: root)

4. Click Test Connection to verify credentials

5. Click Save to store the credential

SSL Certificate Considerations

For production environments:

• Use valid SSL certificates signed by a trusted CA
• Keep "Insecure SSL" disabled (false)
• This ensures secure API communication

For development/testing with self-signed certificates:

• Enable "Insecure SSL" (true) to skip certificate verification
• Warning: Never use this setting in production environments

Supported Resources and Operations

The FortiGate integration supports the following resources and operations:

IP Block

Manage IP address blocking through firewall address objects.

Operation	Description
Create	Block an IP address by creating a firewall address object
Delete	Unblock an IP by deleting its address object
List	List all firewall address objects with optional filtering
Get	Get details of a specific IP address object

Domain Block

Block or unblock domains using DNS and web filters.

Operation	Description
Create	Add a domain to DNS or web filter blocklist
Delete	Remove a domain from the blocklist
List	List all blocked domains in DNS and/or web filters

Firewall Rule

Manage firewall policies for traffic control.

Operation	Description
Create	Create a new firewall policy rule
Update	Update an existing firewall policy
Delete	Delete a firewall policy
Get	Get details of a specific firewall policy
List	List all firewall policies with optional filtering
Move	Change the order/priority of a firewall policy

Address Group

Manage groups of firewall address objects for scalable policy management.

Operation	Description
Create	Create a new address group
Add Member	Add an address object to an existing group
Remove Member	Remove an address object from a group
Get	Get details of a specific address group
List	List all address groups with optional filtering
Delete	Delete an address group

Device Isolation

Isolate or restore access for compromised devices.

Operation	Description
Isolate	Block all network access from a device
Unisolate	Restore network access to a previously isolated device
List	List all currently isolated devices

Parameter Merging and Templating

The FortiGate integration takes full advantage of NINA's parameter merging and templating capabilities:

Parameter Sources (in order of precedence)

1. Node Parameters: Parameters configured directly in the FortiGate Integration Node
2. Extracted Parameters: Parameters automatically extracted from the input data
3. Input Data: The complete input data from upstream nodes

When a FortiGate Integration Node executes:

• It combines parameters from all sources
• Node parameters take precedence over extracted parameters
• Template variables within parameters are processed (using {{variable_name}} syntax)
• The combined parameters are used to execute the FortiGate operation

Example: Blocking Malicious IPs

Basic IP Blocking

Below is an example of blocking an IP address using the Integration Node:

Node Configuration:

{
  "integration_service": "fortigate",
  "resource": "ip-block",
  "operation": "create",
  "parameters": {
    "ip": "203.0.113.50",
    "comment": "Malicious IP detected by threat intelligence",
    "subnet": true
  }
}

This creates a firewall address object named BLOCKED_203_0_113_50 with the IP 203.0.113.50/32.

Blocking IPs with Template Variables

You can dynamically block IPs based on threat intelligence:

Input Data from Previous Node:

{
  "threat_intel": {
    "malicious_ip": "198.51.100.75",
    "threat_type": "C2 Server",
    "confidence": "high",
    "source": "CrowdStrike",
    "campaign": "APT29"
  },
  "incident": {
    "case_id": "INC-2024-0234",
    "analyst": "jane.smith"
  }
}

Node Configuration with Template Variables:

{
  "integration_service": "fortigate",
  "resource": "ip-block",
  "operation": "create",
  "parameters": {
    "ip": "{{threat_intel.malicious_ip}}",
    "name": "BLOCKED_{{threat_intel.threat_type}}_{{incident.case_id}}",
    "comment": "{{threat_intel.threat_type}} - {{threat_intel.campaign}} - Blocked by {{incident.analyst}} - Confidence: {{threat_intel.confidence}} - Source: {{threat_intel.source}}",
    "subnet": true
  }
}

This will create:

• Name: "BLOCKED_C2 Server_INC-2024-0234"
• IP: "198.51.100.75/32"
• Comment: "C2 Server - APT29 - Blocked by jane.smith - Confidence: high - Source: CrowdStrike"

Unblocking IPs

Remove an IP block when the threat is remediated:

Node Configuration:

{
  "integration_service": "fortigate",
  "resource": "ip-block",
  "operation": "delete",
  "parameters": {
    "name": "BLOCKED_203_0_113_50"
  }
}

Listing Blocked IPs

Query all blocked IP addresses with filtering:

Node Configuration:

{
  "integration_service": "fortigate",
  "resource": "ip-block",
  "operation": "list",
  "parameters": {
    "filter": "name=@BLOCKED",
    "format": "name|subnet|comment"
  }
}

Example: Domain Blocking for Phishing Prevention

Blocking Domains via DNS Filter

Block malicious domains using DNS filtering:

Node Configuration:

{
  "integration_service": "fortigate",
  "resource": "domain-block",
  "operation": "create",
  "parameters": {
    "domain": "malicious-phishing-site.com",
    "filterType": "dns",
    "filterId": 1,
    "matchType": "simple",
    "comment": "Phishing domain detected in email campaign"
  }
}

Dynamic Domain Blocking from Threat Feeds

Input Data:

{
  "phishing_report": {
    "domains": [
      "fake-login-bank.com",
      "secure-verify-account.net"
    ],
    "campaign_id": "PHISH-2024-Q1-15",
    "reported_by": "[email protected]",
    "detection_time": "2024-01-15T14:30:00Z"
  }
}

Node Configuration:

{
  "integration_service": "fortigate",
  "resource": "domain-block",
  "operation": "create",
  "parameters": {
    "domain": "{{phishing_report.domains[0]}}",
    "filterType": "dns",
    "filterId": 1,
    "matchType": "simple",
    "comment": "Phishing campaign {{phishing_report.campaign_id}} - Reported by {{phishing_report.reported_by}}"
  }
}

Web Filtering for URLs

Block specific URLs using web filter:

Node Configuration:

{
  "integration_service": "fortigate",
  "resource": "domain-block",
  "operation": "create",
  "parameters": {
    "domain": "malware-download-site.com",
    "filterType": "web",
    "filterId": 2,
    "matchType": "wildcard",
    "comment": "Malware distribution site"
  }
}

Unblocking Domains

Remove false positives or remediated domains:

Node Configuration:

{
  "integration_service": "fortigate",
  "resource": "domain-block",
  "operation": "delete",
  "parameters": {
    "domain": "previously-blocked-domain.com",
    "filterType": "dns",
    "filterId": 1
  }
}

Example: Creating Firewall Policies

Creating a Deny Policy

Create a comprehensive firewall policy to block traffic:

Node Configuration:

{
  "integration_service": "fortigate",
  "resource": "firewall-rule",
  "operation": "create",
  "parameters": {
    "name": "Block Suspicious Subnet",
    "action": "deny",
    "srcintf": ["port1", "port2"],
    "dstintf": ["wan1"],
    "srcaddr": ["Suspicious_Subnet"],
    "dstaddr": ["all"],
    "service": ["ALL"],
    "schedule": "always",
    "logtraffic": "all",
    "comments": "Blocking traffic from compromised subnet",
    "status": "enable"
  }
}

Creating an Allow Policy with Restrictions

Create a policy that allows specific traffic with logging:

Node Configuration:

{
  "integration_service": "fortigate",
  "resource": "firewall-rule",
  "operation": "create",
  "parameters": {
    "name": "Allow Remote Access VPN",
    "action": "accept",
    "srcintf": ["wan1"],
    "dstintf": ["ssl.root"],
    "srcaddr": ["all"],
    "dstaddr": ["all"],
    "service": ["HTTPS", "SSL_VPN"],
    "schedule": "always",
    "logtraffic": "utm",
    "comments": "Allow SSL VPN connections with UTM logging"
  }
}

Updating Policy Status

Disable a policy without deleting it:

Node Configuration:

{
  "integration_service": "fortigate",
  "resource": "firewall-rule",
  "operation": "update",
  "parameters": {
    "policyid": 123,
    "status": "disable",
    "comments": "Temporarily disabled for maintenance"
  }
}

Moving Policy Priority

Adjust policy order for correct rule evaluation:

Node Configuration:

{
  "integration_service": "fortigate",
  "resource": "firewall-rule",
  "operation": "move",
  "parameters": {
    "policyid": 150,
    "position": "before",
    "neighbor": 100
  }
}

This moves policy 150 to execute before policy 100 in the rule evaluation order.

Example: Address Group Management

Creating an Address Group for Blocked IPs

Node Configuration:

{
  "integration_service": "fortigate",
  "resource": "address-group",
  "operation": "create",
  "parameters": {
    "name": "BLOCKED_IPS_GROUP",
    "comment": "Collection of blocked malicious IPs",
    "members": ["BLOCKED_203_0_113_50", "BLOCKED_198_51_100_75"]
  }
}

Adding IPs to Existing Group

Dynamically add newly blocked IPs to a group:

Input Data:

{
  "new_block": {
    "address_name": "BLOCKED_192_0_2_100",
    "group": "BLOCKED_IPS_GROUP"
  }
}

Node Configuration:

{
  "integration_service": "fortigate",
  "resource": "address-group",
  "operation": "addMember",
  "parameters": {
    "groupName": "{{new_block.group}}",
    "addressName": "{{new_block.address_name}}"
  }
}

Removing IPs from Group

Node Configuration:

{
  "integration_service": "fortigate",
  "resource": "address-group",
  "operation": "removeMember",
  "parameters": {
    "groupName": "BLOCKED_IPS_GROUP",
    "addressName": "BLOCKED_203_0_113_50"
  }
}

Using Address Groups in Policies

Once created, address groups can be referenced in firewall policies:

{
  "integration_service": "fortigate",
  "resource": "firewall-rule",
  "operation": "create",
  "parameters": {
    "name": "Block Malicious IP Group",
    "action": "deny",
    "srcintf": ["any"],
    "dstintf": ["any"],
    "srcaddr": ["BLOCKED_IPS_GROUP"],
    "dstaddr": ["all"],
    "service": ["ALL"],
    "logtraffic": "all",
    "comments": "Deny all traffic from blocked IP group"
  }
}

Example: Device Isolation for Incident Response

Isolating a Compromised Device

Immediately isolate a device when malware is detected:

Input Data:

{
  "alert": {
    "device_ip": "192.168.10.55",
    "device_name": "WORKSTATION-042",
    "threat": "Ransomware",
    "severity": "critical",
    "analyst": "security-team"
  }
}

Node Configuration:

{
  "integration_service": "fortigate",
  "resource": "device",
  "operation": "isolate",
  "parameters": {
    "deviceIp": "{{alert.device_ip}}",
    "deviceName": "{{alert.device_name}}",
    "reason": "{{alert.threat}} detected - Severity: {{alert.severity}} - Isolated by {{alert.analyst}}",
    "moveToTop": true
  }
}

This will:

1. Create an address object for the device IP
2. Create a deny-all firewall policy
3. Move the policy to the top (highest priority) for immediate effect

Unisolating a Remediated Device

Restore network access after remediation:

Node Configuration:

{
  "integration_service": "fortigate",
  "resource": "device",
  "operation": "unisolate",
  "parameters": {
    "deviceIp": "192.168.10.55"
  }
}

This will:

1. Find and delete the isolation firewall policy
2. Remove the device address object

Listing Isolated Devices

Query all currently isolated devices for reporting:

Node Configuration:

{
  "integration_service": "fortigate",
  "resource": "device",
  "operation": "list",
  "parameters": {}
}

Integration in Workflow Context

The FortiGate integration is particularly powerful when combined with other nodes in a workflow:

Common Workflow Patterns:

1. Automated Threat Response:

   • Threat Intel Feed → Script Node (extract IOCs) → FortiGate IP Block Node → FortiGate Firewall Rule Node → Slack Node (notify SOC)

2. Phishing Response Pipeline:

   • Email Security Alert → Script Node (extract domains) → FortiGate Domain Block Node → SIEM Node (update case) → Jira Node (create ticket)

3. Incident Response Automation:

   • EDR Alert → Script Node (parse alert) → FortiGate Device Isolation Node → ServiceNow Node (create incident) → Email Node (notify team)

4. Coordinated IOC Blocking:

   • SOAR Playbook → FortiGate IP Block → Cloudflare Gateway Block → CrowdStrike IOC Creation → Report Node

5. Address Group Management:

   • Schedule Node → Threat Feed API → Script Node (parse IPs) → FortiGate Create IP Block → FortiGate Add to Group → Email Report

6. Policy Audit and Cleanup:

   • Schedule Node → FortiGate List Rules → Script Node (analyze) → FortiGate Delete Rule → Database Node (log changes)

Response Structure Examples

IP Block Creation Response

{
  "http_method": "POST",
  "results": {
    "mkey": "BLOCKED_203_0_113_50"
  },
  "vdom": "root",
  "path": "firewall",
  "name": "address",
  "status": "success",
  "http_status": 200,
  "build": 2575,
  "address_name": "BLOCKED_203_0_113_50",
  "blocked_ip": "203.0.113.50/32"
}

Firewall Rule Creation Response

{
  "http_method": "POST",
  "results": {
    "mkey": "152"
  },
  "vdom": "root",
  "path": "firewall",
  "name": "policy",
  "status": "success",
  "http_status": 200,
  "build": 2575
}

Device Isolation Response

{
  "success": true,
  "device_ip": "192.168.10.55",
  "address_name": "ISOLATED_192_168_10_55",
  "policy_name": "ISOLATE_WORKSTATION-042",
  "policy_id": 175,
  "message": "Device isolated successfully"
}

Address Group Response

{
  "http_method": "POST",
  "results": {
    "mkey": "BLOCKED_IPS_GROUP"
  },
  "vdom": "root",
  "path": "firewall",
  "name": "addrgrp",
  "status": "success",
  "http_status": 200
}

Troubleshooting

Issue	Resolution
Authentication failures	Verify your API token is correct and has not been regenerated. Ensure the REST API Admin account is not disabled. Check that the management URL is accessible from your NINA server.
Permission denied errors	Verify the API token's administrator profile has the required permissions (Firewall, Policy & Objects, DNS Filter, Web Filter). Recreate the token with a profile that has adequate permissions.
SSL certificate errors	For self-signed certificates, enable "Insecure SSL" in the credential configuration. For production, install a valid SSL certificate on the FortiGate or use the FortiGate's certificate authority.
VDOM access denied	Ensure the API token has access to the specified VDOM. In multi-VDOM mode, the REST API Admin must be assigned to the correct VDOM.
Address already exists	FortiGate requires unique address object names. Check if the IP is already blocked with a different name using the list operation.
Policy creation fails	Verify that all referenced objects (interfaces, addresses, services) exist in FortiGate. Check that the policy doesn't conflict with existing policies.
Filter ID not found	Ensure the DNS or web filter profile exists before adding domains. Create the filter profile first or omit filterId to create a new one.
Cannot delete address object	Address objects cannot be deleted if they're referenced in policies or address groups. Remove references first, then delete the address object.
Rate limiting or timeout	FortiGate may rate-limit API requests under heavy load. Implement retry logic with exponential backoff in your workflows.
Invalid interface name	Verify interface names match exactly (case-sensitive). Use FortiGate CLI or web UI to confirm available interface names.

Best Practices

1. Use Descriptive Names: Give address objects, policies, and groups descriptive names that clearly indicate their purpose, source, and creation context.

2. Implement Proper Comments: Always include detailed comments in address objects and policies including threat type, source, analyst name, and incident reference.

3. Leverage Address Groups: Use address groups for scalable management of blocked IPs. This allows single policy updates instead of creating multiple policies.

4. Plan Policy Precedence: FortiGate evaluates policies top-to-bottom. Place more specific rules before general rules. Use the move operation to adjust order.

5. Test in Staging First: Test firewall policy changes in a non-production VDOM or FortiGate instance before deploying to production.

6. Use Template Variables: Leverage NINA's template variables for dynamic, context-aware firewall operations based on upstream data.

7. Monitor Isolated Devices: Implement workflows to track isolated devices and ensure timely remediation and restoration.

8. Implement Cleanup Workflows: Create scheduled workflows to remove expired blocks and clean up old address objects.

9. Secure API Tokens: Use the principle of least privilege when creating REST API Admin accounts. Restrict trusted hosts to NINA server IPs only.

10. Enable Comprehensive Logging: Set logtraffic: "all" on security policies to ensure complete audit trails for blocked traffic.

11. Coordinate with Other Security Tools: Combine FortiGate operations with other security integrations (CrowdStrike, Cloudflare, SIEM) for comprehensive protection.

12. Document Policy Purposes: Maintain clear documentation of policy creation reasons and the business/security requirements they address.

13. Regular Policy Audits: Implement workflows to regularly review firewall policies and remove obsolete rules.

14. Validate Before Blocking: Implement validation steps (IP reputation checks, false positive analysis) before automatically blocking IPs or domains.

15. Use Appropriate Match Types: Choose the right match type for domain blocking (simple for exact matches, wildcard for subdomains, regex for complex patterns).

Advanced Use Cases

Coordinated Multi-Firewall Blocking

Block threats across multiple FortiGate devices simultaneously:

Workflow Configuration:

# Step 1: Parse threat intelligence
- type: script
  code: |
    return {
      malicious_ip: input.ioc,
      firewalls: ["firewall-hq", "firewall-dc1", "firewall-dc2"]
    };

# Step 2: Block on all firewalls (parallel)
- type: integration
  integration_service: fortigate
  credential: "{{firewall}}"
  resource: ip-block
  operation: create
  parameters:
    ip: "{{malicious_ip}}"
    comment: "Coordinated block across all sites"
  foreach: "{{firewalls}}"

Automatic IOC Import from Threat Feeds

Continuously import and block IOCs from external feeds:

{
  "integration_service": "fortigate",
  "resource": "ip-block",
  "operation": "create",
  "parameters": {
    "ip": "{{feed_ioc.value}}",
    "name": "FEED_{{feed_ioc.source}}_{{feed_ioc.id}}",
    "comment": "Auto-imported from {{feed_ioc.source}} - Confidence: {{feed_ioc.confidence}} - Type: {{feed_ioc.type}}"
  }
}

Smart Device Isolation with Notifications

Isolate devices with full notification pipeline:

# Step 1: Isolate device
- integration_service: fortigate
  resource: device
  operation: isolate
  parameters:
    deviceIp: "{{alert.device_ip}}"
    deviceName: "{{alert.hostname}}"
    reason: "{{alert.threat_name}} - Auto-isolated by SOAR"

# Step 2: Create incident ticket
- integration_service: jira
  operation: create_issue
  parameters:
    summary: "Device Isolated - {{alert.hostname}}"
    description: "FortiGate isolation policy created for {{alert.device_ip}}"

# Step 3: Notify security team
- integration_service: slack
  operation: send_message
  parameters:
    channel: "#security-alerts"
    text: "Device {{alert.hostname}} ({{alert.device_ip}}) has been isolated due to {{alert.threat_name}}"

Dynamic Address Group Management

Build and maintain dynamic address groups based on threat classifications:

{
  "integration_service": "fortigate",
  "resource": "address-group",
  "operation": "addMember",
  "parameters": {
    "groupName": "{{threat_classification}}_IPS",
    "addressName": "{{newly_blocked_address}}"
  }
}

Temporary Block with Auto-Expiration

Implement temporary blocks with automatic removal:

# Step 1: Block IP
- integration_service: fortigate
  resource: ip-block
  operation: create
  parameters:
    ip: "{{suspicious_ip}}"
    comment: "Temporary block - Expires {{expiration_time}}"

# Step 2: Store block metadata in database
- integration_service: database
  operation: insert
  parameters:
    table: "temporary_blocks"
    data:
      ip: "{{suspicious_ip}}"
      expires_at: "{{expiration_time}}"

# Step 3: Schedule cleanup (separate workflow)
- integration_service: fortigate
  resource: ip-block
  operation: delete
  parameters:
    name: "{{block_name}}"
  trigger: schedule
  condition: "{{current_time > expires_at}}"

Policy-Based Incident Response

Create firewall policies based on incident severity:

// Script node to determine response
const response = {
  severity: input.alert.severity,
  actions: []
};

if (input.alert.severity === "critical") {
  response.actions = [
    { type: "isolate_device", device_ip: input.alert.source_ip },
    { type: "block_destination", ip: input.alert.destination_ip },
    { type: "alert_soc", priority: "high" }
  ];
} else if (input.alert.severity === "high") {
  response.actions = [
    { type: "block_destination", ip: input.alert.destination_ip },
    { type: "log_traffic", duration: "24h" }
  ];
}

return response;

Filter Expression Syntax

FortiGate uses filter expressions for querying address objects and policies:

Basic Filters

name=@BLOCKED          # Contains "BLOCKED"
name==exact_name       # Exact match
subnet==192.168.1.0    # Specific subnet

Combining Filters

name=@[email protected]    # AND operation
action==deny                      # Match specific action
status==enable+action==deny      # Multiple conditions

Common Filter Fields

Address Objects:

• name: Address object name
• subnet: IP address or subnet
• type: Address type (ipmask, fqdn, etc.)
• comment: Comment field

Firewall Policies:

• policyid: Policy ID
• name: Policy name
• action: accept, deny, ipsec
• status: enable, disable
• srcaddr: Source address reference
• dstaddr: Destination address reference

For more advanced filtering and API capabilities, refer to the FortiGate REST API documentation.

Security Considerations

1. API Token Security: Store API tokens securely using NINA's credential management. Never expose tokens in logs or workflow configurations.

2. Least Privilege: Create REST API Admin accounts with minimal required permissions. Avoid using Super_Admin unless necessary.

3. IP Whitelisting: Configure Trusted Hosts on the REST API Admin to restrict API access to NINA server IPs only.

4. Audit Logging: Enable comprehensive logging on FortiGate for all API operations to maintain audit trails.

5. Change Management: Implement approval workflows for production firewall changes, even when automated.

6. Backup Policies: Regularly backup FortiGate configurations before automated operations.

7. Testing Environment: Maintain a test FortiGate instance for validating workflow changes before production deployment.

8. Rollback Procedures: Implement rollback capabilities to quickly revert automated changes if issues occur.

9. Rate Limiting: Respect FortiGate API rate limits to avoid overwhelming the firewall management plane.

10. Certificate Validation: Always use valid SSL certificates and disable "Insecure SSL" in production environments.

Updated: 2026-01-28