Skip to main content
NIHDI_Network
NIHDI_Network
New Member
September 11, 2025
Solved

Fortigate automation - adding a IPS attacker IP to a deny rule from IPS-Logs using X-Forwarded-for

  • September 11, 2025
  • 2 replies
  • 383 views

Hi all,

Our infrastructure is not directly connected to internet and most of the web traffic is coming from the reverse proxy IP of our ISP.
We want to use Fortigate automation to create an address object of the attacker and put it into a group that will be denied in a policy rule. This based on IPS-Logs. 

With the ip address of the attacker, we also want to automate the creation of a custom ips signature based on the X-Forwarded-for field we are seeing in the IPS logs.
Working with %%srcip%% in the CLI script is working but of course, this gives us the IP of the reverse proxy, not the real IP of the attacker on the Internet. So not possible to block all traffic from the RP of our ISP.

Is it a way to use the x-forwarded-for IP in a CLI_script in Fortigate automation ?

Thanks in advance 
Regards

Frédéric

 

Best answer by NIHDI_Network

Hi AEK,

In between, we have found the solution.
In the automation CLI script triggered by IPS-Logs, we have used %%forwardedfor%% instead of %%srcip%%

 

Thanks for your help

2 replies

AEK
SuperUser
AEK
SuperUser
September 11, 2025

Hi Frédéric

This tech tip doesn't provide the direct solution but it will probably help:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-learn-Client-IP-from-X-Forwarded-For-and/ta-p/360058

In the last screenshot since we can see the XFF column in logs then I guess in can be used in the automation script.

AEK
    NIHDI_Network
    NIHDI_NetworkAuthorAnswer
    New Member
    September 11, 2025

    Hi AEK,

    In between, we have found the solution.
    In the automation CLI script triggered by IPS-Logs, we have used %%forwardedfor%% instead of %%srcip%%

     

    Thanks for your help

      Terms & ConditionsAccessibility statement