Tutorial: Integrate Fortinet with Azure Defender for IoT

This tutorial will help you learn how to integrate, and use Fortinet with Azure Defender for IoT.

Azure Defender for IoT mitigates IIoT and ICS and SCADA risk with ICS-aware self-learning engines that deliver immediate insights about ICS devices, vulnerabilities, and threats. Defender for IoT accomplishes this without relying on agents, rules, signatures, specialized skills, or prior knowledge of the environment.

Defenders for IoT, and Fortinet have established a technological partnership that detects, and stop attacks on IoT, and ICS networks.

Fortinet, and Azure Defender for IoT prevent:

  • Unauthorized changes to programmable logic controllers (PLC).

  • Malware that manipulates ICS, and IoT devices via their native protocols.

  • Reconnaissance tools from collecting data.

  • Protocol violations caused by misconfigurations, or malicious attackers.

Defender for IoT detects anomalous behavior in IoT, and ICS networks and delivers that information to FortiGate, and FortiSIEM, as follows:

  • Visibility: The information provided by Defender for IoT gives FortiSIEM administrators visibility into previously invisible IoT and ICS networks.

  • Blocking malicious attacks: FortiGate administrators can use the information discovered by Defender for IoT to create rules to stop anomalous behavior, regardless of whether that behavior is caused by chaotic actors, or misconfigured devices, before it causes damage to production, profits, or people.

FortiSIEM, and Fortinet’s multivendor security incident, and events management solution brings visibility, correlation, automated response, and remediation to a single scalable solution.

Using a Business Services view, the complexity of managing network and security operations is reduced, freeing resources, improving breach detection. FortiSIEM provides cross correlation while applying machine learning, and UEBA to improve response, in order to stop breaches before they occur.

In this tutorial, you learn how to:

  • Create an API key in Fortinet
  • Set a forwarding rule to block malware-related alerts
  • Block the source of suspicious alerts
  • Send Defender for IoT alerts to FortiSIEM
  • Block a malicious source using the Fortigate firewall

If you do not already have an Azure account, you can create your Azure free account today.

Prerequisites

There are no prerequisites for this tutorial.

Create an API key in Fortinet

An application programming interface (API) key is a uniquely generated code that allows an API to identify the application or user requesting access to it. An API key is needed for Azure Defender for Iot and Fortinet to communicate correctly.

To create an API key in Fortinet:

  1. In FortiGate, navigate to System > Admin Profiles.

  2. Create a profile with the following permissions:

    Parameter Selection
    Security Fabric None
    Fortiview None
    User & Device None
    Firewall Custom
    Policy Read/Write
    Address Read/Write
    Service None
    Schedule None
    Logs & Report None
    Network None
    System None
    Security Profile None
    VPN None
    WAN Opt & Cache None
    WiFi & Switch None
  3. Navigate to System > Administrators, and create a new REST API Admin with the following fields:

    Parameter Description
    Username Enter the forwarding rule name.
    Comments Enter the minimal security level incident to forward. For example, if Minor is selected, minor alerts and any alert above this severity level will be forwarded.
    Administrator Profile From the dropdown list, select the profile name that you have defined in the previous step.
    PKI Group Toggle the switch to Disable.
    CORS Allow Origin Toggle the switch to Enable.
    Restrict login to trusted hosts Add the IP addresses of the sensors, and management consoles that will connect to FortiGate.

When the API key is generated, save it as it will not be provided again.

Screenshot of the description automatically generates New API Key.

The FortiGate firewall can be used to block suspicious traffic.

To set a forwarding rule to block malware-related alerts:

  1. Sign in to the Azure Defender for IoT Management Console.

  2. In the left pane, select Forwarding.

    Screenshot of the Forwarding window option in a sensor.

  3. Select Create Forwarding Rules and define the following rule parameters.

    Parameter Description
    Name Enter a meaningful name for the forwarding rule.
    Select Severity From the drop-down menu, select the minimal security level incident to forward. For example, if Minor is selected, minor alerts and any alert above this severity level will be forwarded.
    Protocols To select a specific protocol, select Specific, and select the protocol for which this rule is applied. By default, all the protocols are selected.
    Engines To select a specific security engine for which this rule is applied, select Specific, and select the engine. By default, all the security engines are involved.
    System Notifications Forward the sensor's online and offline status. This option is only available if you have logged into the on-premises management console.
  4. In the Actions section, select Add, and then select Send to FortiGate from the drop-down menu.

    Screenshot of the Add an action section of the Create Forwarding Rule window.

  5. To configure the FortiGate forwarding rule, set the following parameters:

    Screenshot of the  configure the Create Forwarding Rule window.

    Parameter Description
    Host Enter the FortiGate server IP address.
    API Key Enter the API key that you created in FortiGate.
    Incoming Interface Enter the incoming interface port.
    Outgoing Interface Enter the outgoing interface port.
    Configure Ensure a is showing in the following options to enable blocking of suspicious sources via the FortiGate firewall:
    - Block illegal function codes: Protocol violations - Illegal field value violating ICS protocol specification (potential exploit)
    - Block unauthorized PLC programming / firmware updates: Unauthorized PLC changes
    - Block unauthorized PLC stop: PLC stop (downtime)
    - Block malware-related alerts: Blocking of the industrial malware attempts (TRITON, NotPetya, etc.).
    - (Optional) You can select the option for Automatic blocking. If Automatic Blocking is selected, blocking is executed automatically, and immediately.
    - Block unauthorized scanning: Unauthorized scanning (potential reconnaissance)
  6. Select Submit.

Block the source of suspicious alerts

The source of suspicious alerts can be blocked in order to prevent further occurrences.

To block the source of suspicious alerts:

  1. Sign in to the management console and select Alerts from the left side menu.

  2. Select the alert related to Fortinet integration.

  3. To automatically block the suspicious source, select Block Source.

    Screenshot of the Alert window.

  4. In the Please Confirm dialog box, select OK.

Send Defender for IoT alerts to FortiSIEM

Defenders for IoT alerts provide information about an extensive range of security events, including:

  • Deviations from learned baseline network activity

  • Malware detections

  • Detections based on suspicious operational changes

  • Network anomalies

  • Protocol deviations from protocol specifications

You can configure Defender for IoT to send alerts to the FortiSIEM server, where alert information is displayed in the Analytics window:

Screenshot of the Analytics window.

Each Defender for IoT alert is then parsed without any other configuration on the FortiSIEM, side and they are presented in the FortiSIEM as security events. The following event details appear by default:

Screenshot of the view your event details in the Event Details window.

You can then use Defender for IoT's Forwarding Rules to send alert information to FortiSIEM.

To use Defender for IoT's Forwarding Rules to send alert information to FortiSIEM:

  1. From the sensor, or management console left pane, select Forwarding.

    Screenshot of the the view of your forwarding rules in the Forwarding window.

  2. Select Create Forwarding Rules, and define the rule's parameters.

    Parameter Description
    Name Enter a meaningful name for the forwarding rule.
    Select Severity Select the minimum security level incident to forward. For example, if Minor is selected, minor alerts and any alert above this severity level will be forwarded.
    Protocols To select a specific protocol, select Specific, and select the protocol for which this rule is applied. By default, all the protocols are selected.
    Engines To select a specific security engine for which this rule is applied, select Specific and select the engine. By default, all the security engines are involved.
    System Notifications Forward a sensor's online, or offline status. This option is only available if you have logged into the on-premises management console.
  3. In the actions section, select Send to FortiSIEM.

    Screenshot of the create a Forwarding Rule and select send to Fortinet.

  4. Enter the FortiSIEM server details.

    Screenshot of the add the FortiSIEm details to the forwarding rule.

    Parameter Description
    Host Enter the FortiSIEM server IP address.
    Port Enter the FortiSIEM server port.
    Timezone The time stamp for the alert detection.
  5. Select Submit.

Block a malicious source using the Fortigate firewall

You can set policies to automatically block malicious sources in the FortiGate firewall using alerts in Defender for IoT.

Screenshot of the view of the FortiGate Firewall window view.

For example, the following alert can block the malicious source:

Screenshot of the the NotPetya Malware suspicion window.

To set a FortiGate firewall rule that blocks a malicious source:

  1. In FortiGate, create an API key.

  2. Sign in to the Defender for IoT sensor, or the management console, and select Forwarding, set a forwarding rule that blocks malware-related alerts.

  3. In the Defender for IoT sensor, or the management console, and select Alerts, and block a malicious source.

  4. Navigate to the FortiGage Administrator window, and locate the malicious source address you blocked.

    Screenshot of the FortiGate Administrator window view.

    The blocking policy will be automatically created, and appears in the FortiGate IPv4 Policy window.

    Screenshot of the FortiGate IPv4 Policy window view.

  5. Select the policy and ensure that Enable this policy is toggled to the on position.

    Screenshot of the FortiGate IPv4 Policy Edit view.

Clean up resources

There are no resources to clean up.

Next steps

In this tutorial, you learned how to get started with the Fortinet integration. Continue on to learn about our Palo Alto integration.