FortiDeceptor – Fabric


Use the Fabric pages to manage and configure FortiGate information for integration with FortiDeceptor. This includes blocking settings and Security Fabric status information. Blocking from FortiGate is an API call from FortiDeceptor which allows instant quarantine from FortiGate once an incident is detected. The quarantined IP is under user quarantine in the FortiGate GUI.

Fabric provides access to the following pages:

FortiGate Integration Configure the FortiGate settings for FortiDeceptor integration.
Quarantine Status Status of blocked IP addresses.
IOC Export Export the IOC file in CSV format for a specified time period.

FortiGate Integration

Use Fabric > FortiGate Integration to configure FortiGate settings for integration with FortiDeceptor. FortiDeceptor uses FortiGate REST APIs to make quarantine calls when decoys are accessed. Attackers are immediately quarantined on the FortiGate for further analysis.

The following options are available:

Severity level Select the security level. The selected level and all levels above it are blocked. For example, if you select Medium, then medium, high, and critical levels are blocked. If you select Critical, then only the critical level is blocked.
Add new block configuration Create a new FortiGate integration setting.
Update Save the modified FortiGate integration setting to a configuration file.
Cancel Discard current changes.
Edit Edit the record.
Delete Delete the record.
Test Manually send quarantine request to the corresponding FortiGate.

The following information is displayed:

Name Alias of the integrated FortiGate.
IP IP address of the integrated FortiGate.
User Username of the integrated FortiGate.
Password Password of that username.


Port Port number of the integrated FortiGate REST API service. Default is 443.
Default Expiry Default blocking time in second. Default is 3600 seconds.
Default VDOM The default access VDOM of the integrated FortiGate.
Type FortiGate (read-only value).
Enabled Enable or disable the integration setting.

Quarantine Status

The Fabric > Quarantine Status page displays the status of blocked and quarantined IP addresses. It also lets you manually block or unblock devices. The following options are available:

Refresh Refresh the page to get the latest data.
Block Manually send a blocking request for the selected attacker IP addresses.
Unblock Manually send an unblocking request for the selected attack IP addresses.

The following information is displayed:

Attacker IP IP addresses of blocked attacker.
Start Start time of blocking behavior.
End End time of blocking behavior.
Handler Address IP address of the integrated FortiGate.
Handler The integrated device type.
Handle Type Blocking type, manual, or automatic quarantine.
VDOM VDOM of the integrated FortiGate.
Blocker Name Alias of the FortiGate which blocks the AttackerIP address. This is the Name field in Fabric > FortiGate Integration.
Time Remaining The remaining blocking time.
Status Current status of the attacker.
Message Related message for the blocking entry.

IOC Export

Use the Fabric > IOC Export page to export the IOC file in CSV format for a specified time period. The CSV file can be processed by third party Threat Intelligence Platforms. The file contains the TimeStamp, Incident time, Attacker IP, related files, and WCF (Web Content Filtering) events. You can include MD5 checksums, WCF category, and reconnaissance alerts.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos