Skip to main content
fortimaster
fortimaster
Explorer III
March 9, 2025
Question

Stitch to ban IP when an anomaly occurs, but using a count number.

  • March 9, 2025
  • 2 replies
  • 1012 views

Hi all,

I would like to ban some IPs when an DoS attack ocurrs. I'm trying to do that using stitch, and "anomaly logs" trigger action. The problem is that I cannot stablish a count number or filter whith "anomaly logs". I don't want to ban an IP when is detected for first time by my DoS policy. I would like to ban it when it is detected, for example, 10 times during an attack. 

 

That is the problem: I can't use event filter or count for anomaly trigger. If I try to create a custom trigger, I cannot find the log ID 0720018432 or similar, to can customize it.

 

Could you help me to create an automation trigger to detect malicious IP during an DoS attack? I need an IP to appear several times and I don't know how to set this counter, so as not to ban it the first time (it could be from someone who doesn't belong to the attack).

1-->An IP appears X times in a short time several times with "anomaly event".

2-->Foritigate ban IP (quarantine).

 

Is it possible?

 

Thanks ¡¡¡

2 replies

Anthony_E
Staff
Anthony_E
Staff
March 12, 2025

Hello,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Best Regards
Anthony_E
Staff
Anthony_E
Staff
March 14, 2025

To create an automation stitch in FortiGate that bans an IP address when an anomaly occurs based on a count number:

  1. Create an Automation Trigger:Go to the FortiGate GUI. Navigate to `Security Fabric` -> `Automation`. Click on `Create New` to set up a new automation trigger. Define the trigger conditions based on the specific anomaly event you want to monitor. Use field filters to specify the event type and set a threshold for the count number.
  2. Configure the Trigger Conditions: Specify the event log name related to the anomaly. Use field filters to narrow down the logs to the specific anomaly. Set a condition to trigger the action when the count of the anomaly exceeds a certain number.
  3. Create an Automation Action: Still under `Security Fabric` -> `Automation`, create a new action. Choose `Ban IP` as the action type. Configure the action to ban the source IP address from the event log.
  4. Link the Trigger and Action: Create a new automation stitch. Select the previously created trigger and action. Save the stitch to activate it.

This setup will automatically ban an IP address when the specified anomaly occurs and exceeds the defined count threshold.

Best Regards
    Terms & ConditionsAccessibility statement