Skip to main content

Fortigate Address Groups as ACL

Released for wider testing in version 1.0.34 of knocknoc agent, the FortiOS integration allows Knocknoc to dynamically add and remove user's source IP from a named address group. This address group can then be used in whatever Firewall rule you like, opening up many possibilities for securing access to systems behind Fortigate firewalls.

Requirements

  • FortisOS 7+
  • An API key, along with the relevant rules to allow your agent to connect to the Fortigate api for that key.
  • VDOM name if you are using vdoms

Agent config

On a machine (eg linux box) that can access the Fortigate API on the admin interface, install the Knocknoc Agent.

Then edit the ini file in /opt/knocknoc-agent/scripts/fortios.ini

Fill out the relevant details:

BEARER_TOKEN=
FORTIOS_URL=https://IP_GOES_HERE:10443
VDOM=VDOM_GOES_HERE_OPTIONAL
PREFIX=kk_

The token you can obtain from the admin interface of your Fortigate device by following the documentation.

The URL and port can be adapted to suit your setup. 

If you are using a VDOM, please put the name of it here. If you are not using a VDOM, please remove this option from the ini file.

The Prefix is used to name addresses, to make it clear that Knocknoc manages this address. You can adapt it to whatever you think will be clear in your system.

Knocknoc Admin Config

If you added a new agent, please make sure it is enrolled in the admin section, by verifying the version and heartbeat time is recent.

Then add a new Backend like so:

image.png

Then add a new ACL like so:

image.png

Which would of course allow you to update the SSLVPN address group with the Knocknoc user IP once they authenticate.
Feel free to add as many ACLs as you have address groups in Fortios.

Testing it out

If you allocate this ACL to a group of users, they will be added to the Address group mentioned in the ACL Name on login. And be removed again on logout. Addresses are saved for reuse, and idempotently added and removed from the relevant ACL.

It looks a bit like this when it works:

image (16).png

You can see at the top the kk_ address is added, and at the bottom the knocknoc address group contains this address.