Troubleshooting Tip: FortiGate Block or Unblock IP...

FortiSIEM

FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)

Article Id 343659

Description

This article provides a basic troubleshooting step in case FortiGate block or unblock IP remediation scripts are not working in FortiSIEM.

Scope

FortiSIEM.

Solution

Make sure that the FortiGate SSH credentials used in FortiSIEM have permission to list or modify quarantine or banned-ip list so that the following FortiGate CLI commands can be executed via the remediation script in FortiSIEM.

Earlier FortiGate versions:

diagnose user quarantine list

diagnose user quarantine delete

diagnose user quarantine add

Or for recent FortiGate versions:

diagnose user banned-ip list

diagnose user banned-ip delete

diagnose user banned-ip add

Run the following commands on the collector through which the FortiGate is integrated to verify if the commands can be executed via the FortiGate SSH credentials.

su admin

ssh user@FortiGate_IP

diagnose user quarantine list

Or:

su admin

ssh user@FortiGate_IP

diagnose user banned-ip

772

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Troubleshooting Tip: FortiGate Block or Unblock IP remediation scripts are not working

You are leaving our website