Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Renante_Era
Staff
Staff

Created on ‎08-30-2024 12:12 AM Edited on ‎03-19-2025 10:52 PM By Community Manager

Article Id 337650

Technical Tip: How to automatically block the malicious source IP address triggering IPS

Description This article describes the steps to automatically block malicious source IP address(es) triggering IPS.
Scope FortiGate.
Solution

Automation stitch can automatically block inbound traffic triggering IPS.

  1. Create an address group in Policy & Objects -> Addresses, open the Address Group tab, and select the Create new button. Creating a new address is not mandatory. If it is not possible to create it without members, just begin with Step2, the IP address group will be created in the auto script (tested in V7.0.17).
                                          

AddrGrp.jpg

                       

 Provide the group name and select OK. It is used  'Auto_IPS-Blocked' in this example.

 

NewGrp.jpg

 

  1. Navigate to Security Fabric -> Automation and select the Create New button in the Stitch tab.
                                     

    newStitch.png

     

  2. Provide the new stitch name, select Add Trigger, select IPS Logs, and Apply.

    newTrigger.jpg

     

  3. Add a CLI script to create a firewall address object based on '%%srcip%%/32' and append the automatically added address object to the new address group from Step 1.

     

    1. Configure stitch action by selecting Add Action, then select Create.
                                   

      newAction.png                                                 

    2. Scroll down and select CLI Script.
                                                              

      newCLIscript.png

       

    3. Provide the CLI Script's name and enter the following script, then select the appropriate Administrator profile or use super_admin if needed, then select OK. It uses 'Auto_IPS-Blocked' in the firewall addrgrp because that is the name of the group I added in Step 1.

      config firewall address
          edit %%srcip%%
              set subnet %%srcip%% 255.255.255.255
          next
      end
      config firewall addrgrp
          edit "Auto_IPS-Blocked"
          append member %%srcip%%
          next
      end

      newCLIScript-2.png                                       

    4. Select the newly added script name and select Apply.
                                   

      newCLIScript-3.png                                  

    5. Select Add Action if it is desired to add another action such as sending an email, then select OK.
                                                

      newCLIScript-4.png

       

  1. In case of a false positive, manually edit the group object and remove the corresponding address object from the group.

  2. Finally, block the address group using local-in-policy since blocking the group in the firewall policy might not be applicable in most cases. For instance, a deny firewall policy with match VIP enabled should work on port forwarding (Virtual IPs) but is not applicable for blocking access to SSLVPN or Dial-Up IPsec VPN connections.
5091
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.