| Description | This article describes how to create and append addresses into address groups through automation stitches. |
| Scope | Any supported version of FortiGate. |
| Solution |
This article explains how to create an automation stitch that takes an action to create an address and address group for Source IPs that trigger a specific event (known as a 'trigger'). It is necessary to provide the source IP (key) parameter from the key value pair available on any event logs. In this case, it will be an IPS log event. Download logs from the Security Event section inside the 'Intrusion Prevention System'.
Example logs: date=2023-06-20 time=18:21:19 eventtime=1686659779425121689 tz="+0545" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="low" srcip=10.0.4.124 srccountry="Nepal" dstip=192.168.111.10 dstcountry="Reserved" srcintf="wan1" srcintfrole="wan" dstintf="internal5" dstintfrole="lan" sessionid=40400991 action="dropped" proto=6 service="HTTP" policyid=98 poluuid="b3639d14-5742-51ec-66ef-82eadf2ce95d" policytype="policy" attack="Nmap.Script.Scanner" srcport=55338 dstport=443 url="/nice%20ports%2C/Tri%6Eity.txt%2ebak" httpmethod="GET" direction="outgoing" attackid=45360 profile="Protect_Email_Server" ref="http://www.fortinet.com/ids/VID45360" incidentserialno=272311930 msg="tools: Nmap.Script.Scanner" crscore=5 craction=32768 crlevel="low" utmref=40400991:1686659779 To append the address to the respective parameters of the FortiGate command, provide a source IP (srcip) retrieved from the event log in the FortiGate address object command in the Action field.
For example: config firewall address edit %%srcip%% set subnet %%srcip%% 255.255.255.255 next end config firewall addrgrp edit Address-Group append member %%srcip%% next end This feature can be applied to any event. It will gather all of the source IPs from the event that has triggered. For example:
In this case, an IPS log event has been provided as the trigger. The stitch triggers when IPs with malicious intent are detected and logged by the IPS profile in the IPS event logs.
Associate an action with this trigger that creates and appends addresses into the group. In the GUI:
 In the CLI:
config firewall address edit %%srcip%% set subnet %%srcip%% 255.255.255.255 next end config firewall addrgrp edit Address-Group append member %%srcip%% next end
Optionally, an action can be set up to ban these detected IPs for a certain period of time and release them afterward. To do this, provide the following CLI script in the action field: diagnose user banned-ip add src4 %%srcip%% 60 IPS In the script above, '60' is 60 seconds and 'IPS' is the cause of the action.
For automation to function, it is necessary to configure stitches and attach the action filed for the event.
As a result, the source IP address and address group that the IPS profile has detected can immediately be seen. It is recommended to apply this address group into the firewall policy for ease of management.
 To view the mechanisms of the script at work in the background, run the following debug commands: diagnose debug cli 7 diagnose debug enable flash: block_sz=4096, free_blocks=17842 0: config system auto-script 0: edit "autod.18" 0: set script "config firewall address 0: edit 10.0.4.124 0: set subnet 10.0.4.124 255.255.255.255 0: end 0: 0: config firewall addrgrp 0: edit Address-Group 0: append member 10.0.4.124 0: next 0: end" 0: end --------------------------------------------- 0: config firewall address 0: edit 10.0.4.124 0: set subnet 10.0.4.124 255.255.255.255 0: end 0: 0: config firewall addrgrp 0: edit "Address-Group" 0: append member 10.0.4.124 0: next 0: end ------------------------------------------------ 0: config system auto-script 0: delete "autod.18" 0: end flash: block_sz=4096, free_blocks=17836 |
