Skip to main content

Fortigate Address Groups (Fortinet)

The  FortiOS integration allows Knocknoc to dynamically add and remove user's source IP from a named address group. This address group can then be used in whatever Firewall rule you like, opening up many possibilities for securing access to systems behind Fortigate firewalls or to services on the Fortigate firewalls themselves, such as remote-management or the VPN ports/services. Knocknoc can also provide external dynamic lists (EDLs), which allows for a Passive orchestration approach.

Knocknoc supports both FortiGate and FortiManager.

Active or Passive orchestration

Active - Knocknoc's Fortinet orchestration capability utilises the Forti API to actively manage the device, inserting and removing IP addresses as part of the Knocknoc Grant process. This is an active, near-real-time approach that provides the best user experience. Permissions are limited to address-groups edit only. Broad API access/permissions are not required. Knocknoc manages the IP lists and address groups, but not the policy, users/permissions nor other firewall settings, reducing exposure to inadvertent change or configuration errors.

Passive - Knocknoc's Allowlist feature provides a passive integration with firewalls that support External Dynamic Lists or EDLs.  This feature pulls from the Knocknoc server a list of IPs of authenticated users, in the correct group/for the assigned firewall policy. The drawback of this feature is that the list can only be fetched every 1 minute in the case of a Fortinet.

Active (via Forti API)

Requirements

  • FortisOS 7+
  • An API key, along with the relevant rules to allow your agent to connect to the Fortigate api for that key (see below).
  • VDOM name if you are using vdoms
  • Agent version 1.6.0+ (April 2025)

Knoc configuration

Select the "Firewalls / Appliances" Knoc configuration, selecting "Active"

Screenshot 2025-04-10 at 15.23.25.png.Screenshot 2025-04-10 at 15.24.48.png

Follow the prompts, as below:

  1. The Authorization token can be generated within the Fortinet by following these steps here.
  2. The Address group is the relevant group you want to link within a firewall policy, each Knoc adds addresses to a different group for use within the firewall policy set. The Prefix is the address prefix, we recommend "kk_" so you know that address within the address-group is managed dynamically by Knocknoc.

Screenshot 2025-04-10 at 15.24.28.png

The authorisation token  is obtained by creating a user with read/write Firewall permissions, as below. Note that no other permissions are required.

image.png image.png

More information on the token and Forti API can be found by following the official documentation.

If you are using a VDOM, please put the name of it here. If you are not using a VDOM, please remove this option from the ini file.

Testing it out

If you allocate this Knoc to a user/group of users, they will be added to the Fortinet address-group on login. And be removed again on logout. Addresses are saved for reuse.

image (16).png

You can see at the top the kk_ address is added, and at the bottom the knocknoc address group contains this address.

Note that the Address Group names can be case sensitive! 

Passive (EDL or AllowList)

Requirements

  • FortisOS 7+ Admin login
  • HTTPS access from the Fortinet to the relevant Knocknoc Server publishing the AllowList

Knoc configuration

Select Passive in the Knoc configuration. Note that no Agent is required for this configuration as the Server is publishing/hosting the Allowlist.

Screenshot 2025-04-10 at 15.26.51.png

Set an API key name, and define any IP allowlisting restrictions on the API key-use. Naturally we recommend removing the "entire Internet" rules.

Screenshot 2025-04-10 at 15.38.54.png

Be mindful of the IP address restrictions, by default it will allow the entire v4/v6 Internet.

Copy the API key/token that is displayed, you will not be able to recover this after it has been shown.

Screenshot 2025-04-10 at 15.40.48.png

Copy the API key and store this for future use.

Fortinet config

Log in to the Fortinet web ui.

Visit the Security Fabric -> External Connectors page. Select +Create New

image.png

Select "IP Address"

image.png

Type in a meaningful name and choose "External feed" for the update method:

image.png

Copy/paste the URL of external resource from Knocknoc->ACL

Screenshot 2025-04-10 at 15.41.26.png

You can also see the URI for this Passive Allowlist/EDL by clicking on the Knoc:

Screenshot 2025-04-10 at 15.42.07.png

Paste the API key you copied earlier in to the Password field. The username can be "apikey".

Set the refresh rate to 1 minute, or as suited.

image.png

Clicking "View Entries" will show the current IP addresses in the list, which are managed by Knocknoc.

Firewall Policy 

Select Policy & Objects -> Firewall Policy

Create New Policy, then choose Accept and change the Source to be the Imported & Dynamic Address

image.png

Final step

To complete the process, assign the ACL to the relevant Users or Groups, and your users are ready to log in and receive their access.

When your user logs in they will see "Published". Once the Fortinet polls the EDL it will update to "Read"

image.png image.png

You now have dynamic IP addresses being read in by the Fortinet without active orchestration.