- Configure basic Block Policy and group on FortiGate
- Create AWS Lambda function
- Modify function to use Python script call FortiGate API
- Integrate Webhook and Lambda function on FortiGate
- Test and Log
- Useful link
Scope
Solution1) Configure basic Block Policy and group on FortiGate:-Create Address Group:Blocksshport1
Blocksshport2
Put a test address in those 2 groups, which should never access our FortiGate such as 8.8.8.8/1.1.1.1
Each interface has an address group and a group name that contains interface name.
For test, only use SSH, not include HTTPS.
-Create local-in-policy:Interface: Firewall Interface
Source Address: Address Group
Destination Address: Firewall Interface IP address
Action: Deny
Service: SSH
Schedule: Always
Status: EnableUse Group as source address, make policy simple, put new address as a group member and do not create separate rule.
Use another script to do clean up work, just put 1.1.1.1/32 member, delete the other address objects.
Separate rule good to create timing object to block special period, such as 1 day, 2 days, 1 week, deepening on management requirement.2) Create AWS Lambda function:Default Function Python Script.New Role.Create API Gateway.Select REST API.Create resource.Resource name.Create Method.Select method.Associate method to Lambda function.API Gateway result.Deploy API Gateway.Deploy API steps.Deploy Result.Lambda Function and API Gateway.3) Modify function to use Python script call FortiGate API.Python script function:
- Log into FortiGate, get CSRF Token.
- Create firewall address based on Source IP address.
- Get firewall address group member.
- Add new firewall address to related firewall address group.
- Log out.
- Send information to slack channel.Login.New address.Member.Add Member.Logout.Slack.4) Integrate Webhook and Lambda function on FortiGate.webhook.Configure.Lambda.Configure.5) Test and log.SSH to FortiGate with wrong password.FortiGate debug log.Slack and FortiGate log.FortiGate new address and new address group member.AWS CloudWatch log.
Slack and FortiGate log.6) Useful link.FNDN Access.Basic account provides free access to documentation and basic tools. Users can view and answer questions in FortiAnswers
Paid subscriptions include additional services and tools.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.