Skip to main content
KubaG
KubaG
Explorer
November 12, 2024
Question

Quarantined IP Address Group

  • November 12, 2024
  • 2 replies
  • 1288 views

Hello guys,

 

in our Fortigate we have list of few hundreds dynamically assigned IPs in Quarantine.

And I found this topic, where is some Quarantined MAC addresses are automaticaly filled into Address Group list named Quarantine Devices. 

https://docs.fortinet.com/document/fortigate/6.4.0/administration-guide/900942/quarantine

 

So I am courious is there some way to do similiar thing with our list of IP addresses? 

We want to create deny rule in firewall with this address group. 

 

2024-11-12_13h43_23.png

 

 

 

2 replies

pminarik
Staff
pminarik
Staff
November 12, 2024

I suppose you could just use regular address objects/groups in regular firewall policies? Just need to name them appropriately and treat them as quarantined addresses.

You can easily plug them into deny firewall policies, or into local-in policies (if the goal is to protect FortiGate's services, e.g .SSL-VPN)

 

As far as I can tell there is no built-in solution to funnel IP bans into address objects, but you can use the API to get a JSON of the current list. You can then process it further yourself.

You can get it with a GET request for /api/v2/monitor/user/banned/ .

arahman
Staff
arahman
Staff
November 12, 2024

Hi, please check this article as well

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Automation-script-to-BAN-Brute-Force-attacker-IP/ta-p/347334

Terms & ConditionsAccessibility statement