FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ydong01
Staff
Staff
Description
This article describes automation using Webhook to send messages to AWS Lambda and triggering REST API access for FortiGate blocking invalid access:
- Configure basic Block Policy and group on FortiGate
- Create AWS Lambda function
- Modify function to use Python script call FortiGate API
- Integrate Webhook and Lambda function on FortiGate
- Test and Log
- Useful link


Scope


Solution
1) Configure basic Block Policy and group on FortiGate:

-Create Address Group:

Blocksshport1
Blocksshport2
Put a test address in those 2 groups, which should never access our FortiGate such as 8.8.8.8/1.1.1.1


KB-FD47088-30.jpg


Each interface has an address group and a group name that contains interface name.

For test, only use SSH, not include HTTPS.

-Create local-in-policy:

Interface: Firewall Interface
Source Address: Address Group
Destination Address: Firewall Interface IP address
Action: Deny
Service: SSH
Schedule: Always
Status: Enable





Use Group as source address, make policy simple, put new address as a group member and do not create separate rule.

Use another script to do clean up work, just put 1.1.1.1/32 member, delete the other address objects.

Separate rule good to create timing object to block special period, such as 1 day, 2 days, 1 week, deepening on management requirement.

2) Create AWS Lambda function:





Default Function Python Script.









New Role.





Create API Gateway.






Select REST API.








Create resource.










Resource name.








Create Method.









Select method.






Associate method to Lambda function.






API Gateway result.








Deploy API Gateway.



KB-FD47088-2.jpg



Deploy API steps.




KB-FD47088-1.jpg



Deploy Result.



KB-FD47088-.jpg





Lambda Function and API Gateway.




KB-FD47088-4.jpg




3) Modify function to use Python script call FortiGate API.

Python script function:
- Log into FortiGate, get CSRF Token.
- Create firewall address based on Source IP address.
- Get firewall address group member.
- Add new firewall address to related firewall address group.
- Log out.
- Send information to slack channel.

Login.


KB-FD47088-5.jpg



New address.



KB-FD47088-5.jpg

KB-FD47088-7.jpg

Member.


KB-FD47088-8.jpg

KB-FD47088-9.jpg

Add Member.


KB-FD47088-10.jpg
KB-FD47088-11.jpg

Logout.

KB-FD47088-12.jpg
KB-FD47088-13.jpg



Slack.


KB-FD47088-14.jpg


4) Integrate Webhook and Lambda function on FortiGate.

webhook.



KB-FD47088-15.jpg



Configure.



KB-FD47088-16.jpg

Lambda.


KB-FD47088-17.jpg



Configure.


KB-FD47088-17.jpg



5) Test and log.


KB-FD47088-19.jpg

KB-FD47088-20.jpg


SSH to FortiGate with wrong password.


KB-FD47088-21.jpg


FortiGate debug log.


KB-FD47088-22.jpg


Slack and FortiGate log.


KB-FD47088-23.jpg
KB-FD47088-24.jpg


FortiGate new address and new address group member.


KB-FD47088-25.jpg

KB-FD47088-26.jpg


AWS CloudWatch log.


KB-FD47088-27.jpg


Slack and FortiGate log.



KB-FD47088-28.jpg

6) Useful link.


FNDN Access.


Basic account provides free access to documentation and basic tools. Users can view and answer questions in FortiAnswers
Paid subscriptions include additional services and tools.


KB-FD47088-29.jpg

Contributors