Enhancing Network Security with FortiGate-MISP Integration

Released: Jan. 18, 2025 | Categories: MISP Foritnet IntegrationService
Author: samuelgiger

Automated responses are becoming increasingly important in the fast-evolving IT landscape. To enhance security, there is the option to automatically block suspicious IPs.

In today's rapidly evolving threat landscape, proactive security measures are more critical than ever. By integrating FortiGate with the Malware Information Sharing Platform (MISP), organizations can significantly bolster their defenses. Automated blocking of detected threats can enhance the security of endpoints and prevent a possible attack. Many known suspicious IPs are shared, for example, via the MISP Project. After a connection is made, the log is forwarded and analyzed by a script that checks the IP in MISP. This approach ensures that traffic is neither delayed nor intercepted. However, if a suspicious connection is detected, it will not be able to reconnect. Through this integration, a streamlined auto-response is possible.
The project is available on GitHub: gigersam/IntegrationService_MISP_Fortigate.

App-Components

The project consists of two components:
Integration Service
Housekeeping Service

Integration Service

The Integration Service receives the log events from the Fortinet on port UDP/514 and parses the received messages. If the Rule ID with the Action (defined in Config.py TO_CHECK_OBJECTS) is received, the src-ip is checked to see if it is mentioned in any event on MISP. If it is in any record, the Service creates an address object on the FortiGate and adds the address object to the block rule. Due to a source negate on the rule, the IP address will no longer be able to access the Service.

Housekeeping Service

The Housekeeping Service checks if an address object is older than 3 months. If the object is older than 3 months, it is removed from the block address group and then deleted.
Due to some difficulties with automatically updating the MISP feeds, there is also a trigger to update the MISP feeds via the API.

Deployment

Disclaimer:
Please be advised that if an address object in FortiGate contains a comment with a timestamp in the format "YYYY-MM-DD HH:MM:SS.ssssss" (e.g., "2024-07-05 16:26:47.324178"), it may be subject to automatic deletion by the system. This behavior is due to the housekeeping logic that evaluates objects based on timestamps to identify outdated entries for cleanup.

To deploy the Integration Service, there are multiple options. In this post, we describe how to deploy it with Docker.
The complete configuration is done in the ./Config.py. The following configurations are required.

MISP:

MISP_SERVER = "IP"

The MISP_SERVER can be an IP address or an FQDN for the MISP server.

MISP_API_KEY = "API_KEY"

The MISP_API_KEY can be configured under Administration -> List Auth Keys -> Add authentication key.

MISP_FEED_UPDATE_CYCLE = 43200

The MISP_FEED_UPDATE_CYCLE defines how often the MISP feed update API gets triggered. Time needs to be in seconds (43200 seconds = 12 hours).

FortiGate:

BLOCK_GROUP_NAME = "BLOCK_GROUP_NAME"

The BLOCK_GROUP_NAME is the address object group used to disallow access.

TO_CHECK_OBJECTS = [["RULEID","ACTIONTYPE"]]

The TO_CHECK_OBJECTS specifies the Rule ID in which the address object group is assigned. Additionally, the ActionType is required to identify the right traffic to be checked.

FORTIGATE_SERVER = "IP"

The FORTIGATE_SERVER can be an IP address or an FQDN for the FortiGate.

FORTIGATE_API_KEY = "API_KEY"

The FORTIGATE_API_KEY can be configured under System -> Administrators -> Create New -> REST API Admin. The API user only needs access to Firewall -> Address. To reduce API user access, the IP of the service host can be added under Trusted Hosts to enhance security.

FORTIGATE_ADDRESS_OBJECTS_REMOVE_CYCLE = 43200

The FORTIGATE_ADDRESS_OBJECTS_REMOVE_CYCLE defines how often the MISP feed update API gets triggered. Time needs to be in seconds (43200 seconds = 12 hours).


After adding all the required Config-Objects, a copy of Config.py is needed in each app (e.g., app/Config.py and housekeeping/Config.py).

To deploy the service, use docker-compose. Run the following command directly in the directory where the docker-compose.yml file is located.
bash:

docker-compose up --build

After building the Docker container, the logs of the FortiGate need to be forwarded to the Service.
To forward the logs, a syslog server needs to be configured. Due to the custom port, configuration via the CLI is easier. Log in to the FortiGate via SSH or use the Web CLI and run the following command. Be aware that there are only 4 possible syslogd configurations available, and do not override an existing configuration! You may need to change the syslogd[1-3]!

config log syslogd setting
    set status enable
    set server "IP-OF-INTEGRATION-SERVICE-HOST"
    set port 8514
end

After the correct configuration, some IP addresses should be added to the FortiGate if suspicious access occurs.

Don't hesitate to contact me if you have any questions or requests.