Skip to content
Find out how we support MDR.

Fortinet FortiAnalyzer (API)

API

You must have the Firewall integrations license pack to use this feature.

Note

A log collector integration of FortiAnalyzer is also available. Unlike the API integration, it doesn't require you to give your FortiAnalyzer device access to the public internet. See Fortinet FortiAnalyzer (Log collector).

You can integrate Fortinet FortiAnalyzer with Sophos Central so that it sends reports to Sophos for analysis.

This is an API-based integration. You'll need details of a FortiAnalyzer administrator's username, password, and administrative domain, as well as the FortiAnalyzer base URL.

The key steps are as follows:

  • Create an administrator in FortiAnalyzer.
  • Get the base URL for FortiAnalyzer.
  • Configure an integration in Sophos Central.

Warning

Your FortiAnalyzer base URL must have a publicly resolvable DNS name, or the API can't work.

You can't use a self-signed certificate with this API either.

Create a FortiAnalyzer administrator

To create an administrator, do as follows:

  1. In FortiAnalyzer, go to System Settings > Admin > Administrators.

  2. Create an administrator with JSON API Read access.

    In the administrator's profile you must set the Incidents & Events/FortiSOC permission to Read Only.

    Keep a note of the username, password, and administrative domain. You need them when you add the integration.

    For details, see Creating administrators.

Get the FortiAnalyzer base URL

  1. Check the FortiAnalyzer base URL that Sophos Central should connect to.

    The base URL format is as follows: https://faz.<yourorganization>.com.

    Copy the base URL. You need it when you add the integration.

Configure an integration

To integrate FortiAnalyzer with Sophos Central, do as follows:

  1. In Sophos Central, go to Threat Analysis Center > Integrations > Marketplace.
  2. Click FortiAnalyzer.

    The FortiAnalyzer page opens. You can configure integrations here and see a list of any you've already configured.

  3. In Data Ingest (Security Alerts), click Add Configuration.

    Note

    If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See My domains and IPs.

  4. In Integration steps, you configure an API to collect data from FortiAnalyzer:

    1. Enter the Integration name and Integration description.
    2. Enter the Authentication details from FortiAnalyzer: Administrative domain, username, password, and base URL.
  5. Click Save

We create the integration and it appears in your list. If its status icon shows a green tick, your data should appear in the Sophos Data Lake after validation.

Sophos IP addresses

The IP addresses we use to reach your FortiAnalyzer depend on your Sophos Central region. To find the IP addresses you need, see Sophos IPs for integrations.

You might want to add these addresses to the allow lists in your network infrastructure.