Technical Tip: Automating Threat Response: Using FortiAnalyzer Playbooks to Ban Malicious IPs on Blocked Traffic on FortiGate
Description
This article describes how to set up a FortiAnalyzer playbook that automatically bans a source IP address whenever traffic matches a block policy in FortiGate. By using automation stitches, the system can quickly identify and respond to threats in real-time, improving network security.
The guide provides a detailed, step-by-step process for configuring FortiAnalyzer playbooks, integrating them with FortiGate automation stitches, and verifying the IP banning procedure.
Scope
FortiGate, FortiAnalyzer.
Solution
- Make sure FortiGate is connected with FortiAnalyzer and the status is up
- Create an automation stitch in FortiGate with an Incoming webhook:
- Check if the webhook is showing in FortiAnalyzer under the FortiOS connector:
- Create an event Handler and filter with policy ID and assign a tag: Go to FortiSoc -> Handlers -> Data Selector List -> Create New
Go to -> FortiSoc -> Handlers -> Even Handler List -> Create New, select the data selector created in the above step and create a new rule.
- Create a playbook and choose the newly created Tag as an event trigger: Go to -> FortiSoc -> Automation -> Playbook -> Create New -> New Playbook created from scratch and select event trigger
After the Event trigger is chosen, the next step is FOS_WEBHOOK.
Creating the Report:
The report will be available under the playbook once Enable Auto-cache and extended log filtering are enabled on report settings
- Result: Once the traffic matches the policy ID 2 on the FortiGate then the automation stitches get trigger on the FortiGate post which the source IP will be banned:
The Playbook monitor shows a successful:
