You must have the "Firewall" integrations license pack to use this feature.
You can integrate Fortinet FortiAnalyzer with Sophos Central so that it sends reports to Sophos for analysis.
This is an API-based integration. You'll need details of a FortiAnalyzer administrator's username, password, and administrative domain, as well as the FortiAnalyzer base URL.
The key steps are as follows:
- Create an administrator in FortiAnalyzer.
- Get the base URL for FortiAnalyzer.
- Add an integration in Sophos Central.
Your FortiAnalyzer base URL must have a publicly resolvable DNS name, or the API can't work.
You can't use a self-signed certificate with this API either.
Create a FortiAnalyzer administrator
To create an administrator, do as follows:
In FortiAnalyzer, go to System Settings > Admin > Administrators.
Create an administrator with JSON API Read access.
In the administrator's profile you must set the Incidents & Events/FortiSOC permission to Read Only.
Keep a note of the username, password, and administrative domain. You need them when you add the integration.
For details, see Creating administrators.
Get the FortiAnalyzer base URL
Check the FortiAnalyzer base URL that Sophos Central should connect to.
The base URL format is as follows:
Copy the base URL. You need it when you add the integration.
Add an integration
To integrate FortiAnalyzer with Sophos Central, do as follows:
- In Sophos Central, go to Threat Analysis Center and click Integrations.
If you've already set up integrations of this type, you see them here.
In Integrations, click Add.
If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See My domains and IPs.
In Integration steps, you configure an API to collect data from FortiAnalyzer:
- Enter the Integration name and Integration description.
- Enter the Authentication details from FortiAnalyzer: Administrative domain, username, password, and base URL.
We create the integration and it appears in your list.
If your integration shows as Connected, your data should appear in the Sophos Data Lake after validation.
Sophos IP addresses
The IP addresses we use to reach your FortiAnalyzer are as follows:
You might want to add these addresses to the allow lists in your network infrastructure.