Kaspersky Next XDR Expert

Responding through FortiGate

FortiGate is a solution providing the following means of protection for your corporate network:

  • Firewall—Filters network traffic and prevents unauthorized access.
  • Intrusion and attack protection—Identifies and blocks suspicious actions.
  • Web filtering—Restricts user access to websites that you consider unwanted.
  • Malware protection—Prevents malware infections.
  • Email filtering—Blocks spam messages and suspicious emails.

FortiGate 7.6.0 version is supported.

You can respond to alerts and incidents by using FortiGate if you previously configured integration between Kaspersky Next XDR Expert and a script launch service, as well as created a playbook that will launch a script for responding. As a result of the playbook launch, FortiGate will block IP addresses, URLs, or domain names, depending on the action that you specify when creating a playbook.

To unblock IP addresses, URLs, or domain names that have been blocked, you have to create and launch another playbook.

You can download the script by clicking the following link:

Download script

The login, password, and API key to access FortiGate are stored in the env.sample configuration file. You have to copy the information from this file to a new ENV file that you create, and then specify the necessary parameters in the new file.

Python 3.10 is required to run the script.

To perform a response action through FortiGate, you must have one of the following XDR roles: Main administrator, Tenant administrator, Junior analyst, Tier 1 analyst, or Tier 2 analyst.

To launch a script for responding through FortiGate:

  1. In the main menu, go to the Monitoring & reporting section, and then in the Alerts or Incidents sections, click the ID of the required alert or incident.
  2. Click the Select playbook button, and then in the window that opens, select the playbook that you created for responding through FortiGate.
  3. Click the Launch button.

    The selected playbook launches the script for responding through FortiGate.

    If the operation is completed successfully, an appropriate message is displayed on the screen. Otherwise, an error message is displayed.

The result of the playbook launch is available in the alert or incident details, on the History tab.