Skip to main content
Nur
Staff
Nur
Staff
November 27, 2023

Technical Tip: How to ban the IP using event handler + automation stitch

  • November 27, 2023
  • 0 replies
  • 10846 views
Description This article describes how to ban an IP using an event handler from FortiAnalyzer and send a notification to FortiGate to ban the IP.
Scope FortiAnalyzer (event handler) and FortiGate (automation stitch).
Solution

This article will focus on the user's failure to log in via SSL VPN, configure the event handler from FortiAnalyzer, and configure automation stitch from FortiGate.

 

  1. Create an event handler from FortiAnalyzer:

 

Screenshot 2023-11-24 141723.png

 

  1. Create a stitch from FortiGate: Stitch // Trigger under Security fabric -> Automation -> New -> Add Trigger -> New -> FortiAnalyzer Event Handler -> OK.

 

Screenshot 2023-11-24 141330.png

 

  1. Choose the event handler created from FortiAnalyzer.

 

Screenshot 2023-11-24 141546.png

 

Under Action -> New -> choose IP Ban.

 

Screenshot 2023-11-24 142201.png

 

The automation stitch will show as below:

 

Screenshot 2023-11-24 142435.png

 

In CLI, it will appear as below:

 

reve-kvm05 # config system automation-stitch

preve-kvm05 (automation-stitch) # edit "TataSSLVPN"

preve-kvm05 (TataSSLVPN) # show
config system automation-stitch
    edit "TataSSLVPN"
        set trigger "tutuSSLVPN"
            config actions
                edit 1
                    set action "IPBan"
                    set required enable
                next
            end
        next
    end

 

Screenshot 2023-11-24 142638.png

 

To ensure the stitch is running, the SSL VPN user needs to use an invalid password / username.

 

Screenshot 2023-11-24 143140.png

 

From FortiAnalyzer, ensure the event handler is triggered under FortiSoC -> Event Monitor -> All Events.

 

Screenshot 2023-11-24 143337.png

 

The automation will display it as a trigger.

 

Screenshot 2023-11-27 104925.png

 

Run: 'diagnose user banned-ip ?' to check if the listed IP has been banned.

 

Screenshot 2023-11-27 110041.png

 

The following is a list of debug commands recommended for automation stitches if automation issues are encountered:

 

preve-kvm05 # diag test app autod 0
1. Enable/disable log dumping
2. Show automation settings.
3. Show automation statistics.
4. Show plugin statistics.
5. Show running stitches.
6. Show subscriber statistics.
7. Show migsock info.


As the integration is using API calls to perform both the response and request, the latest FortiAnalyzer firmware has a new command to enable the API JSON call event log. 

 

(global)# set jsonapi-log ?
all logging both jsonapi request & response.
disable disable jsonapi log.
request logging jsonapi request.
response logging jsonapi response.

(global)#
(global)#
(global)#
(global)# set jsonapi-log all

(global)# end

 

Related articles:
      Terms & ConditionsAccessibility statement