Fortigate Address Groups (Fortinet)

The FortiOS integration allows Knocknoc to dynamically add and remove user's source IP from a named address group. This address group can then be used in whatever Firewall rule you like, opening up many possibilities for securing access to systems behind Fortigate firewalls or to services on the Fortigate firewalls themselves, such as remote-management or the VPN ports/services.

Knocknoc supports both FortiGate and FortiManager.

Active or Passive orchestration

Active - Knocknoc's Fortinet back-end capability utilises the Forti API to actively orchestrate the device, inserting and removing IP addresses as part of the Knocknoc Grant process.

Passive - Knocknoc's Allowlist features provides a very powerful integration with firewalls that support a External Dynamic Lists or EDLs. This feature pulls from the Knocknoc server a list of IPs of authenticated users, in the correct group/for the assigned firewall policy. The drawback of this feature is that the list can only be fetched every 1 minute in the case of a Fortinet.

Active (via Forti API)

Requirements

FortisOS 7+
An API key, along with the relevant rules to allow your agent to connect to the Fortigate api for that key.
VDOM name if you are using vdoms

Agent config

On a machine (eg linux box) that can access the Fortigate API on the admin interface, install the Knocknoc Agent.

Then edit the ini file in /opt/knocknoc-agent/etc/fortios.ini (note this was in /scripts/ before version 7.3.1)

BEARER_TOKEN=
FORTIOS_URL=https://IP_GOES_HERE:10443
VDOM=VDOM_GOES_HERE_OPTIONAL
PREFIX=kk_

The BEARER_TOKEN is obtained by creating a user with read/write Firewall permissions, as below. Note that no other permissions are required.

More information on the token and Forti API can be found by following the official documentation.

The URL and port can be adapted to suit your setup.

If you are using a VDOM, please put the name of it here. If you are not using a VDOM, please remove this option from the ini file.

The Prefix is used to name addresses, to make it clear that Knocknoc manages this address. You can adapt it to whatever you think will be clear in your system.

Knocknoc Admin Config

If you added a new agent, please make sure it is enrolled in the admin section, by verifying the version and heartbeat time is recent.

Then add a new Backend like so:

Then add a new ACL like so:

Which would of course allow you to update the SSLVPN address group with the Knocknoc user IP once they authenticate.
Feel free to add as many ACLs as you have address groups in Fortios.

Testing it out

If you allocate this ACL to a group of users, they will be added to the Address group mentioned in the ACL Name on login. And be removed again on logout. Addresses are saved for reuse, and added and removed from the relevant ACL.

It looks a bit like this when it works:

You can see at the top the kk_ address is added, and at the bottom the knocknoc address group contains this address.

Note that the Address Group names can be case sensitive!

Passive (AllowList)

Requirements

FortisOS 7+ Admin login
HTTPS access from the Fortinet to the relevant Knocknoc Server publishing the AllowList

Knocknoc ACL and API Key

Create the ACL and choose the relevant AllowList backend:

Create an API key and associate it to the chosen ACL / Allowlist(s)

Be mindful of the IP address restrictions, by default it will allow the entire v4/v6 Internet.

Copy the API key and store this for future use.

Fortinet config

Visit the Security Fabric -> External Connectors page. Select +Create New

Select "IP Address"

Type in a meaningful name and choose "External feed" for the update method:

Copy/paste the URL of external resource from Knocknoc->ACL

Paste the API key you copied earlier in to the Password field. The username can be "apikey".

Set the refresh rate to 1 minute, or as suited.

Clicking "View Entries" will show the current IP addresses in the list, which are managed by Knocknoc.

Firewall Policy

Select Policy & Objects -> Firewall Policy

Create New Policy, then choose Accept and change the Source to be the Imported & Dynamic Address

Final step

To complete the process, assign the ACL to the relevant Users or Groups, and your users are ready to log in and receive their access.

When your user logs in they will see "Published"

And once the Fortinet polls the EDL it will update to "Read"

You now have dynamic IP addresses being read in by the Fortinet without active orchestration.

Consider Your Use Case

SSH

FortiOS, FortiProxy, Palo Alto, or SSL VPN

Ivanti Connect Secure

Remote Desktop

Web applications

Video

VOIP

AWS Infrastructure

Azure Portal

Licensing Knocknoc

Server Installation

Agent Installation

Knocker - a cli utility for agents

Create Users

Create Groups

Admins

Settings

Local Authentication (MFA included as an option)

SAML

SAML Principles and Terms

SAML with EntraID (Azure AD)

SAML with OKTA

SAML with Gsuite as IDP

SAML with Jumpcloud

SAML for the Admin Interface

SAML with Keycloak

SAML with CyberArk

SAML with Authentik

Knocknoc with ADFS

LDAP

IPSet (Linux Netfilter/IPTables)

Fortigate Address Groups (Fortinet)

Palo Alto

Juniper SRX with Allowlist

Allowlist

Microsoft Entra

HAProxy

IPsets with UFW

IPsets with Shorewall

Script Any Arbitrary Backend

AWS (EC2) Security Groups

AWS WAF Ipset

Mikrotik RouterOS

Nginx

Apache Webserver

ACLs

Additional client IP addresses

Time for NTP

LDAP Troubleshooting tips

Knocknoc server behind HAProxy

HAProxy tips and tricks

LOOTOTL - Last One Out Turn Off The Lights

Fortigate Address Groups (Fortinet)

Active or Passive orchestration

Active (via Forti API)

Requirements

Agent config

Knocknoc Admin Config

Testing it out

Passive (AllowList)

Requirements

Knocknoc ACL and API Key

Fortinet config

Firewall Policy

Final step