Fabric
Use the Fabric pages to manage and configure FortiGate information for integration with FortiDeceptor. This includes blocking settings and Security Fabric status information. Blocking from FortiGate is an API call from FortiDeceptor which allows instant quarantine from FortiGate once an incident is detected. The quarantined IP is under user quarantine in the FortiGate GUI.
Fabric provides access to the following pages:
| FortiGate Integration | Configure the FortiGate settings for FortiDeceptor integration. |
| Quarantine Status | Status of blocked IP addresses. |
| IOC Export | Export the IOC file in CSV format for a specified time period. |
FortiGate Integration
Use Fabric > FortiGate Integration to configure FortiGate settings for integration with FortiDeceptor. FortiDeceptor uses FortiGate REST APIs to make quarantine calls when decoys are accessed. Attackers are immediately quarantined on the FortiGate for further analysis.
The following options are available:
| Severity level | Select the security level. The selected level and all levels above it are blocked. For example, if you select Medium, then medium, high, and critical levels are blocked. If you select Critical, then only the critical level is blocked. |
| Add new block configuration | Create a new FortiGate integration setting. |
| Update | Save the modified FortiGate integration setting to a configuration file. |
| Cancel | Discard current changes. |
| Edit | Edit the record. |
| Delete | Delete the record. |
| Test | Manually send quarantine request to the corresponding FortiGate. |
The following information is displayed:
| Name | Alias of the integrated FortiGate. |
| IP | IP address of the integrated FortiGate. |
| User | Username of the integrated FortiGate. |
| Password | Password of that username. |
Fabric
| Port | Port number of the integrated FortiGate REST API service. Default is 443. |
| Default Expiry | Default blocking time in second. Default is 3600 seconds. |
| Default VDOM | The default access VDOM of the integrated FortiGate. |
| Type | FortiGate (read-only value). |
| Enabled | Enable or disable the integration setting. |
Quarantine Status
The Fabric > Quarantine Status page displays the status of blocked and quarantined IP addresses. It also lets you manually block or unblock devices. The following options are available:
| Refresh | Refresh the page to get the latest data. |
| Block | Manually send a blocking request for the selected attacker IP addresses. |
| Unblock | Manually send an unblocking request for the selected attack IP addresses. |
The following information is displayed:
| Attacker IP | IP addresses of blocked attacker. |
| Start | Start time of blocking behavior. |
| End | End time of blocking behavior. |
| Handler Address | IP address of the integrated FortiGate. |
| Handler | The integrated device type. |
| Handle Type | Blocking type, manual, or automatic quarantine. |
| VDOM | VDOM of the integrated FortiGate. |
| Blocker Name | Alias of the FortiGate which blocks the AttackerIP address. This is the Name field in Fabric > FortiGate Integration. |
| Time Remaining | The remaining blocking time. |
| Status | Current status of the attacker. |
| Message | Related message for the blocking entry. |
IOC Export
Use the Fabric > IOC Export page to export the IOC file in CSV format for a specified time period. The CSV file can be processed by third party Threat Intelligence Platforms. The file contains the TimeStamp, Incident time, Attacker IP, related files, and WCF (Web Content Filtering) events. You can include MD5 checksums, WCF category, and reconnaissance alerts.