To learn more about Out-of-the-box Integrations and their benefits, please refer to this article.

Requirements

• Fortigate by Fortinet version 6.2 or higher.
• A Lumu Defender subscription

Add Integration

1. Log in to your Lumu account through the Lumu Portal, navigate to the Integrations screen and select “Response”. 

2. Locate the FortiGate integration in the available apps area and then click “Add”

3. Familiarize yourself with the integration details available in the app description and click Activate (1) to continue with the integration.

4. Select the Threat Feeds (1) mode in the Activate Integration window. Then, give the integration a distinctive Name, select the Threat Types you want to include. If needed, you can opt to generate blocklists for IPs and Hashes by selecting their corresponding toggles. When done, click Activate.

5. Once you create the integration, you’ll be provided configuration keys to block domains, URLs, and IP addresses, along with the integration URLs. These will be added to configure threat feeds within Fortinet’s environment. 

Deleting an integration will cause URLs to be removed. This action cannot be undone. To reintegrate you will have to configure the integration again and update your FortiGate configuration.

Set Up FortiGate

Now that you have the integration URLs, it’s necessary to configure your instance of Fortigate. For this, make sure you allow the use of External Connectors modules. After activating the module, you will see an option that will allow you to create a Threat Feed under Security Fabric > New External Connector. 

You can add a new FortiGuard Category or a new IP Address Threat Feed based on the configuration keys  given at the moment of configuring the integration.

Add a FortiGuard Category Threat Feed

1. Under External Connectors > Threat Feeds, select FortiGuard Category. 

2. In the Connector Settings section, Domains & URLs subsection, add the Domains & URLs URL provided by Lumu  as the “URL of external resource.”

3. Configure the refresh interval of the connector. This interval must be entered as a value in minutes. Lumu advises setting it as 360 minutes (6 hours).

Add a IP Address Threat Feed

1. Under External Connectors > Threat Feeds, select IP Address. 

2. In the Connector Settings section, add the Compromised IPs URL provided by Lumu as the “URL of external resource.” 

3. Configure the refresh interval of the connector. This interval must be entered as a value in minutes. Lumu advises setting it as 360 minutes (6 hours).

4. Add the URLs and domains to be blocked by creating or editing a new Web Filter and Firewall Policy.

5. Create a new Firewall Policy to block IP addresses from the Lumu IP threat feed.

Further steps

Bear in mind that the configuration of the policy is highly dependent on your environment’s characteristics and must be done according to your business needs. For more information on how to carry out this procedure, please refer to FortiGate’s official documentation.