How the FortiGate Connection Works

The integration authenticates to the FortiGate REST API using a scoped API token with read-only permissions. We do not use SSH or console access. Every interaction is an HTTPS call to the firewall's management interface, which means the connection inherits all the transport security FortiOS already provides—TLS 1.2+, certificate validation, and trusted host enforcement on the API user.

On startup, the FortiGate collector validates its token against /api/v2/monitor/system/status and caches the firmware version, hostname, and serial number. These values are injected into every AI response context so the model knows exactly which appliance it is reasoning about. There is no guesswork—if the token is scoped to a 60F running FortiOS 7.4.4, the AI sees that metadata before it generates a single word.

API Endpoints in Use

The collector pulls from a focused set of monitor and config endpoints. The major ones:

  • /api/v2/monitor/firewall/policy — hit counters, byte counts, active sessions per policy
  • /api/v2/cmdb/firewall/policy — full policy table: source/dest objects, services, actions, logging flags
  • /api/v2/monitor/system/interface — link state, speed, IP assignments, TX/RX errors
  • /api/v2/monitor/vpn/ipsec — tunnel phase1/phase2 status, bytes transferred, uptime
  • /api/v2/monitor/firewall/session — session table with filtering by source, dest, or policy ID
  • /api/v2/monitor/system/resource/usage — CPU, memory, session count utilization
  • /api/v2/monitor/router/ipv4 — routing table for gateway and next-hop verification

The response payloads from FortiOS are deeply nested JSON. A single policy object can be 80+ fields. The AI's job is to parse the raw response, extract the relevant fields for the operator's question, and present them clearly—with actual values, not summaries of summaries.

Tiered Caching Architecture

Hitting the firewall API on every single user query would be wasteful and potentially disruptive. We use a two-tier caching strategy:

  • Health data (5-minute TTL): System resource usage, interface link states, routing table, HA status. These change infrequently and are safe to serve from cache. The background poller refreshes them every 5 minutes regardless of user activity.
  • Security data (on-demand, short TTL): Session tables, policy hit counters, VPN tunnel status. These are fetched live when a user asks about them, then cached for 30 seconds to handle follow-up questions without hammering the API.

Policy configuration data (the CMDB endpoints) sits in a middle ground—it is cached for 15 minutes and invalidated immediately if the system detects a config change via the FortiOS changelog webhook. This means when an operator asks "show me the policy table," they get a response in under 200ms from cache. But if someone just committed a policy change in the GUI, the next query forces a fresh pull.

Key insight: The 5-minute health polling serves a dual purpose. It provides fast cached responses and feeds the anomaly detection baseline. If CPU usage has been 12% for the last 6 hours and suddenly spikes to 78%, the system flags it before any human asks.

Natural Language Policy Review

Policy review is where the AI earns its keep. A FortiGate with 150 policies accumulated over three years is difficult to audit manually. The AI can ingest the entire policy table and answer questions that would otherwise require exporting to a spreadsheet.

virp
you → Which firewall policies haven't had a hit in over 90 days?
 
[FortiGate REST API] GET /api/v2/monitor/firewall/policy — 147 policies returned
 
3 policies with zero hits in the last 90 days:
 
ID 34 "Legacy-FTP-Allow" src: 10.10.5.0/24 → dest: 10.10.1.50 svc: FTP
Last hit: 2025-08-14 | Action: ACCEPT | Log: disabled
ID 71 "Temp-Vendor-Access" src: 203.0.113.0/28 → dest: 10.10.2.0/24 svc: HTTPS
Last hit: 2025-09-02 | Action: ACCEPT | Log: enabled
ID 103 "Test-Lab-NAT" src: 10.99.0.0/16 → dest: any svc: ALL
Last hit: never | Action: ACCEPT | Log: disabled
 
Recommendation: Policy 103 has service ALL with logging disabled and has
never been hit. This is a strong candidate for removal. Policies 34 and 71
reference specific services and should be reviewed with the application owners
before disabling.

The AI is not making policy decisions. It is surfacing data that already exists on the firewall and applying straightforward logic: zero hits + overly broad service + no logging = flag it. The operator makes the call.

Session Monitoring and Threat Context

The session table on a busy FortiGate can hold tens of thousands of entries. Scrolling through it in the GUI is impractical. The AI can filter and aggregate sessions in ways the native interface does not support natively.

virp
you → How many active sessions does 10.10.1.25 have right now, and what's the top destination?
 
[FortiGate REST API] GET /api/v2/monitor/firewall/session?filter=src=10.10.1.25
 
10.10.1.25 has 342 active sessions
 
Top destinations:
13.107.42.14 (outlook.office365.com) — 89 sessions, HTTPS
52.114.132.46 (teams.microsoft.com) — 47 sessions, HTTPS
10.10.1.10 (internal file server) — 31 sessions, SMB
Remaining 175 sessions spread across 38 unique destinations
 
Session count is within normal range for a workstation during business hours.

When the session count is not normal, the AI says so. If that same host had 4,000 sessions with 3,200 of them going to unique external IPs on port 443, the response would flag the anomaly and suggest investigating for possible C2 beaconing or data exfiltration.

VPN Tunnel Status

Site-to-site IPsec tunnels are one of the most common "is it up?" questions in any network. The AI pulls from the IPsec monitor endpoint and correlates it with interface status.

virp
you → What's the status of all VPN tunnels?
 
[FortiGate REST API] GET /api/v2/monitor/vpn/ipsec
 
DC-to-AWS Phase1: up Phase2: 2/2 active | Uptime: 14d 7h | TX: 2.4 TB RX: 892 GB
DC-to-Branch01 Phase1: up Phase2: 1/1 active | Uptime: 14d 7h | TX: 340 GB RX: 128 GB
DC-to-Branch02 Phase1: down Phase2: 0/1 active | Last up: 2h 14m ago
 
DC-to-Branch02 has been down for 2 hours 14 minutes. The peer IP is
198.51.100.12. Phase1 negotiation is failing, which typically indicates the
remote end is unreachable or there is a pre-shared key mismatch. Check
remote site connectivity before investigating IKE settings.

Interface Health and Link Monitoring

The interface monitor endpoint returns link state, negotiated speed, error counters, and IP configuration. The AI watches for degraded links—interfaces showing CRC errors, an unexpected speed negotiation (gigabit port running at 100Mbps), or interfaces that have flapped recently.

This data feeds into the 5-minute health cache. When interface errors start accumulating, the anomaly baseline shifts and the system proactively alerts. You do not need to ask "are there any interface errors?"—the system will tell you when there are.

Solving the 60F Log Storage Problem

The FortiGate 60F is a common edge appliance in SMB and branch deployments. It handles traffic well for its price point, but it has a significant operational gap: no local disk for log storage. Logs are either forwarded to FortiAnalyzer, a syslog server, or they are lost. For organizations without FortiAnalyzer licensing, this creates a blind spot. The firewall can tell you what is happening right now, but not what happened yesterday.

The platform solves this by integrating with Wazuh. FortiGate syslog output is forwarded to the Wazuh manager, where it is parsed, indexed, and retained according to your configured retention policy. When the AI needs historical firewall data—last week's denied traffic, authentication failures over the past month, or IPS alerts from Tuesday—it queries the Wazuh API rather than the firewall itself.

Key insight: The AI knows which data source to use for each question. Current state queries (active sessions, interface status, resource usage) go to the FortiGate REST API. Historical queries (log search, trend analysis, incident timeline) go to Wazuh. The operator does not need to specify which system to query—the intent router handles this automatically based on the question's temporal context.

virp
you → Show me all denied connections from the guest VLAN in the last 24 hours
 
[Wazuh API] Searching firewall logs: srcintf=guest, action=deny, last 24h
 
847 denied connections from guest VLAN (port3, 10.10.50.0/24)
 
Top blocked destinations:
10.10.1.0/24 (server VLAN) — 612 attempts, multiple ports
10.10.2.0/24 (management VLAN) — 198 attempts, SSH/RDP
8.8.8.8 — 37 attempts, DNS (UDP/53)
 
Top source IPs:
10.10.50.114 — 491 denied (58% of total)
10.10.50.22 — 203 denied
 
Note: 10.10.50.114 is generating a high volume of lateral movement attempts
targeting SSH and RDP on internal VLANs. This pattern is consistent with
network reconnaissance. The firewall is correctly blocking these, but the
source device should be investigated.

Notice that this query hit Wazuh, not the FortiGate. The 60F cannot answer "what happened in the last 24 hours" because it has no local log disk. But because syslog is continuously forwarded to Wazuh, the data exists—the AI just needs to know where to look. This is handled transparently.

What the AI Will Not Do

The firewall collector operates in read-only mode. It will not create, modify, or delete firewall policies through the API. It will not push configuration changes. If an operator asks "block traffic from 10.0.0.5," the AI will explain that write operations against the firewall require manual action or a change request through the approval queue—it will not silently execute the change.

This is a deliberate architectural decision. Firewalls are security boundaries. Automated write access to the policy table, even with an approval workflow, introduces risk that does not align with how most organizations manage their perimeter. Read-only API access gives you full observability without the blast radius of automated configuration changes.

The anti-fabrication engine also applies here. If the API returns an error or the data is ambiguous, the AI says "I could not retrieve that data" rather than guessing. If a policy references an address object the AI cannot resolve, it shows the object name and notes that it could not expand it—it does not fabricate an IP range.

Practical Use Cases

The operators who get the most value from this capability tend to use it for:

  • Pre-change verification: "Show me every policy that references the object group SERVERS_DMZ" before making changes to that group.
  • Incident triage: "What policies is 10.10.1.50 matching right now, and how many sessions does it have?" during an active investigation.
  • Compliance audits: "List all policies with action ACCEPT, service ALL, and logging disabled." Instantly surfaces overly permissive rules that auditors will flag.
  • Capacity planning: "What's the current session utilization as a percentage of the session table limit?" before onboarding new users or services.
  • Morning health checks: "Give me a status summary—interfaces, VPN tunnels, CPU, memory, and any anomalies." One question replaces five GUI clicks.

Each of these is a real API call returning real data. No simulation, no canned responses. The AI formats what the firewall reports and adds operational context based on the firmware version, the appliance model, and the current state of the environment.