Skip to main content
Bgoines
Bgoines
New Member
August 29, 2014
Question

List of IP Addresses

  • August 29, 2014
  • 4 replies
  • 19463 views
I was recently given a list of IP Addresses from the NCUA (Credit Union version of the FDIC) that may be associated with a series of intrusion activities against the financial sector. Is there somewhere in the Fortigate 100C and 60C that this list can be input/added to block these IP Addresses? Thank you

    4 replies

    jlozen
    jlozen
    New Member
    August 29, 2014
    I don' t know of a super easy way to block a list of specific IPs without going into Policy & Objects > Objects > Addresses and adding them individually by range or subnet. Then creating a a policy to deny those addresses from coming in the WAN port. I don' t believe there is a way to import a list of IPs into one address object.
    Bgoines
    BgoinesAuthor
    New Member
    August 29, 2014
    I was afraid of that. The list is pretty long. That can be a lot of manual entries.
    Warren_Olson_FTNT
    Staff
    Warren_Olson_FTNT
    Staff
    August 29, 2014
    You can script it...I would recommend something along the following: 1. Have your list of ips with each IP/subnet on its' own line 2. Using scripting language of your choice, loop through the contents, ie(bash) #!/bin/bash for i in $(cat $1); do echo " edit $i" echo " set subnet $i" echo " next" done 3. Run the above script with your filename as the argument and it will create an output like this which you can just pipe into another file: edit 1.1.1.1/32 set subnet 1.1.1.1/32 next edit 2.2.2.2/32 set subnet 2.2.2.2/32 next edit 3.3.3.3/32 set subnet 3.3.3.3/32 next edit 4.4.4.0/24 set subnet 4.4.4.0/24 next etc, etc Not the fanciest solution but would at least allow you to get them added in, after this just get into a CLI window and do " config firewall address" and paste in the contents of the output to create them all.
    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    September 1, 2014
    I once had to block a long list of IP addresses which where gathered from a hostsdeny process (unsuccessful login attempts). As there were around 4.000 addresses I had to split them up into address groups with 500 addresses each. I wrote a python script to do that, to read and recognize the addresses, to create address groups, to fill them up etc. On a 310B it took some 45 minutes to digest these into the running config, uploaded as bulk script. There really is no other way.
    emnoc
    emnoc
    New Member
    September 1, 2014
    You can do Warren suggested, but I would caution you, that the smaller unit have a limit number of address you can install. A SOHO model would easily be limited. What you should do is look at writing a IPS rule building a sensor and apply that imho. Managing a big list of address and blackholing particular ip_address could be a disaster. When I worked in the DDoS environment we tried maintain botnet list for the financial sector and it was hit & miss.
    Anand_Prabhu
    Anand_Prabhu
    New Member
    October 3, 2018

    This is possible in latest version. Follow this article http://itadminguide.com/fortigate-ip-address-feed/ to configure. You may also download tool from www.firewallfeed.com to easily add/remove/view/bulk upload IP address to feed.

    Terms & ConditionsAccessibility statement