Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
auppal
Staff
Staff

Created on ‎11-14-2023 09:59 AM Edited on ‎11-28-2023 11:17 AM By Moderator

Article Id 284318

Technical Tip: Automatically quarantine users who repeatedly attempt to access a website blocked by the UTM profiles in FortiGate

Description

 

This article describes how to block a network user from accessing the internet if the user is trying to access a blocked website. This can be achieved by using a FortiAnalyzer Event Handler in an Automation Stitch on the FortiGate.

 

Scope

 

FortiGate, FortiAnalyzer.

 

Solution

 

The following prerequisites must be met:

 

  1. FortiAnalyzer is registered and active.
  2. FortiGate is connected to the FortiAnalyzer.

 

Example – User(s) should get quarantined if they are trying to access a blocked social media website multiple times continuously.

  1. Configure a FortiAnalyzer Event Handler -

    Event handlers can be created in FortiAnalyzer. See the administration guide for instructions.
    1. Make sure the Automation Stitch option is enabled in the Event Handler configuration: Navigate to Incidents & Events -> Handlers -> Basic Handlers -> Create New -> Enable Automation Stitch.

 

auppal_0-1699982474323.png

 

    1. Configure the rule for the handler. In this case, important fields to note are Log Device Type, Log Type, Group By, Logs Match, Aggregation Duration and Aggregation Expression -> Count.

 

auppal_1-1699982575341.png

 

These and other fields can be adjusted according to the administrator requirements and the criteria to block/quarantine the users.


Note: Administrators may need to adjust the COUNT value according to the sensitivity of quarantining the users. Accessing a website such as facebook.com may generate multiple logs even though the user has tried to visit the website only once.

 

  1. Configure the automation stitch on the FortiGate. To create an automation stitch, refer to Technical Tip: Creating automation stitches.
    1. Create an automation trigger: Navigate to Security Fabric -> Automation -> Trigger -> Create New.

      Select the FortiAnalyzer Event Handler, then select the event handler name which was created on the FortiAnalyzer in the previous step.

 

auppal_2-1699982692098.png

 

    1. Create an automation stitch using this automation trigger

      Navigate to Security Fabric -> Automation -> Stitch -> Create New.
      • Add the trigger 'Test-webfilter-fgt' created in the previous step.
      • Add an IP Ban action.

 

auppal_3-1699982705733.png


Results:

 

When a user is blocked by the web filter multiple times in 30 minutes, FortiGate bans the IP of that user and quarantines it until the administrator removes the IP from the quarantine.

 

auppal_4-1699982705734.png

 

Check the banned IP in the CLI:

 

auppal_5-1699982705734.png

 

Check the banned IP in the GUI:

 

auppal_6-1699982705736.png

927
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.