This AliCloud function works with a FortiGate Automation Action to change the security group of a requested ECS instance to one specified in an environment variable. This function uses Node.js 8 and works by first describing and filtering the instances in the specified Region by IP address, and then attaching the pre-defined Security Group to that instance.
This function requires:
- FortiOS 6.2 or higher
- A RAM user with an AccessKey and Secret. For details on creating a RAM user, refer to the AliCloud article Create a RAM user.
- Node.js 8
- In the Ali Console, under Elastic Computing, select Function Compute.
- Select a region (top left). It is recommended that you set up the service in the same region as your ECS instances.
- Click Create Service.
- Enter a Service Name and click OK.
- In the new service, click Create Function.
- Under Function Template, select Empty Function.
- Under Configure Triggers, select HTTP Trigger.
- Enter a Trigger Name and set the Authorization (Function is recommended).
- Under Method, select POST.
- Under Configure Function Settings, enter a Function Name.
- Set the Runtime to Nodejs8.
- Set the following Environment Variables:
- REGION_ID: The region your ECS instances are in.
- SECURITY_GROUP_ID: The Security Group you will add to your Instances.
- ACCESS_KEY_ID: The AccessKey set up with the RAM user.
- ACCESS_KEY_SECRET: The Secret associated with the AccessKey.
- ENDPOINT: The endpoint associated with your region (Mappings can be found here).
- Set Permissions for the function. At minimum, Read and Write to ECS are required.
- Under the Code tab, copy the provided
index.js
code into the editor and click Save.
The link to your HTTP Trigger will be displayed below the editor. You will use this in the next section.
- Log into your FortiGate.
- Select Security Fabric > Automation.
- Click Create New.
- Enter a Name.
- Under Trigger, select Compromised Host.
- Under Action, select AliCloud Function.
- Under AliCloud Function, set the parameters, with the HTTP URL and the settings generated in the previous section.
An example is shown below.
Fortinet-provided scripts in this and other GitHub projects do not fall under the regular Fortinet technical support scope and are not supported by FortiCare Support Services. For direct issues, please refer to the Issues tab of this GitHub project. For other questions related to this project, contact github@fortinet.com.
License © Fortinet Technologies. All rights reserved.