Hi All
Could someone please help me with how to achieve automatically IP blocking by using the sentinel SOAR capability. In our environment, we are using FortiGate Firewall.
Could you please give the list of requirement from FortiGate Firewall and how i can achieve them, and the the requirement from Sentinel side.
any help will be highly apricated.
Thanks
The fortinet IP blocking playbook and all the details needed to configure it are here:
Fortinet-FortiGate
If this helps please accept my solution and upvote.
Or just have a nice day.
hi @ DavidBroggy-5270,
Thanks for your reply. i have already seen that playbook in Github. but i just wanted to know. how we can establish the connectivity between Microsoft Sentinel and FortiGate Firewall. how we can test the logic app, how function app will work, how will bind it to the rule.. etc
A similar option is available in Sentinel as a Content Hub solution. My recommendation would be to deploy the content hub solution and work through the various playbooks and components. I am not sure if anyone here would have the specific answers you are looking for. The best way to lean the solution is through testing and reviewing the logic. You may find the need for some additional development. These solutions and playbooks are often starting points or a proof of concept. The simple answer is that the logic apps will use a series of API-based activities that will each need to be authenticated. On the Microsoft-side that would be a managed identity or service principal. For FortiGate is sound like it would be an API key (assuming there is an accessible FortiGate endpoint.
21 people are following this question.
