FortiNAC
Security Automation
Version 8.2
© Copyright Fortinet Inc. All rights reserved. Last Modified: 8 July 2022
�Lesson Overview
Security Automation
Admin Scans
2
�Security Automation
Objectives
• Understand security automation
• Configure security device integration
• Configure security rules
• Create and use admin scans
�Security Automation & Orchestration
4
�Security Automation & Orchestration
Log to SIEM
Action
Visibility
TRUSTED TRUSTED
5
�Example SOC Workflow
SOC CONTEXT
LIVE INVENTORY OF
NETWORK CONNECTIONS
(LINC)
Rules INCIDENT ANALYSIS
Context
Visibility
and
Automation
6
� Alert and Contextual Information
Security Alert Host Information User Information
TRUSTED TRUSTED
Field Value
Field Value Field Value
Vendor Fortinet
Host Name Johns PC First Name John
Type Threat
Operating System Windows 10 Last Name Doe
Sub Type Virus
Threat ID
Description
32423
http Non RFC-
+ Adapter Physical
Address
IP Address
00:01:02:04:04:05
192.168.102.6
+ Role
Email
Contractor
[email protected]
Compliant
Response Fround
Location Switch-2 Port 8 Phone 603 717-XXXX
Severity Critical
IP Address 192.168.102.53 Role Engineering
IP Address 192.168.102.53 Contractor
7
�Alert with Contextual Information
Security Alert Security Alert
SIEM
Field Value
First Name John
Security Alert
Last Name Doe
Role Contractor
Email [email protected]
Phone 603 717-XXXX
Role Engineering Contractor
TRUSTED
SIEM Host Name Johns PC
Field Value Operating System Windows 10
Vendor Fortinet Adapter Physical 00:01:02:04:04:05
Address
Type Threat IP Address 192.168.102.53
Location Switch-2 Port 8
Sub Type Virus
Vendor Fortinet
Threat ID 32423 Type Threat
Sub Type Virus
Description http Non RFC-
Compliant Response TRUSTED Threat ID 32423
Fround
Description http Non RFC-
Severity Critical Compliant Response
Fround
IP Address 192.168.102.53 Severity Critical
8
�Security – Accelerate Incident Response
Security Rules
Automated Response
Containment
Expanded Notification
Trouble Tickets
Classified False Positives
Possible False Positives
Identified for Further Analysis
Initial Analysis
Log to SIEM
9
� FortiNAC Security Rule Correlation Engine
Security Process Matches Yes Create Security
Done
Alert Alert Filter? Event
No
Exit
Security Filter
Evaluate Trigger User/Host
Yes Yes Create Security
Security Satisfied? Profile
Alarm
Rules Satisfied?
No No
Triggers and Profiles Exit Exit
Evaluate Alarm Yes Action Yes Execute
Action Action? Automatic? Activities
No No
Exit Exit
Security Action
10
�Security Rule Components
• Filter is criteria of a Security Alert
o Normalized data fields
o Alert attribute value(s)
o True when criteria is matched
• Trigger is a set of Filters
o All or Any (1 to N)
o Time occurrence window
o True when all Filter(s) criteria is matched
• Activity is a FortiNAC task to execute
o Time based undo capability
• Action is 1 to N Activities
o Activity failure handling
o Time based secondary task(s)
11
�Security Rule
• A Security Rule is a Trigger combined with:
o Profile – None, Match or Not Matched
o Action – Automatic or Manual
o Notification when Rule matched and/or Action taken
• Rules are evaluated in prioritized order
• A matched Filter results in Security Event creation
• Satisfied Rule results in Security Alarm creation
PoisonDNS Security Rule
Name Trigger Profile Action Notification
PoisonDNS PoisonDNS-Alert None Isolate Host Email Helpdesk
PoisonDNS Security Trigger
Source Security Alert Criteria
FortiGate Alert Type = THREAT, Event Description = Poison DNS Request Traffic(14875), Col[35] = critical
12
�Security Events and Alarms
• Security Event is created on a Filter match
o Date and Time
o Source IP and MAC
o Alert attributes
Event Date Source IP Source MAC Alert Attributes
01/12/17 09:48 AM 192.168.5.95 00:1D:09:11:21:DA Alert Type, Subtype, Severity, Threat ID, Event Description, Location
• Security Alarm is created on a Security Rule match
o Date and Time
o Matched Rule
o Action
o Security Events
o Activities Taken
Host MAC Alarm Date Matched Rule Action
00:1D:09:11:21:DA 01/12/17 09:48 AM PoisonDNS Isolate Host
13
�Security Rules
14
�Security Trigger
Filters
15
�User/Host Profile
16
�Security Action
Activities
17
�Security Events
18
�Security Events
19
�Security Trigger
20
�Security Alarms
21
�Security Device Integration
• Creation of new Syslog message mappings
• Customized security device integrations
• Incorporate new security devices into Security Rule development
22
�Security Event Parsers (System Settings)
23
�Admin Scans
Objectives
• Understand how to create and use admin scans
�Admin Scans
• Mark Hosts At-Risk
o Manual
o Automatic
• Customized Web Page Presentation
o AUP Violation
o Isolation Page (i.e. Dead End)
o Policy Enforcement (No NATing Devices)
25
�Admin Scan Configuration (Policy Remediation Configuration)
Policy
26
�Admin Scan Configuration
27
