Created on 12-28-2021 02:37 AM
I have to block hundreds of IP addresses because of the flaw we all know.
However, I have a version of my fortigate 200D that is in 6.0, the latest version supported by my hardware.
When I import my file with the ips, there is no problem, I see it perfectly. Except that I can't, when I create a rule, find the famous import file to block the ips. Indeed, I have followed dozens of tutorials, but nothing works.
I would need a little help to explain me how to block the ips with my imported file.
Thank you for your help
Created on 12-28-2021 03:47 AM
how did you import the IPs exactly? Did you upload a script, or follow a specific guide?
Most of what I've seen would generate address objects automatically based on imported IPs, so when you create a policy you have to use the address object(s) created by your IP import.
Thanks for your answer.
In fact, I import my file via the "fabric connectors" menu, creating an "ip address threat feed". My file imports correctly and I see the Ips in it.
However, when I create it, it tells me that it will be visible in "dns", but not in IPV'4. Now, I want to create a firewall rule that blocks all Ips from this file! But in the rule creation, this file does not appear.
thanks for clarifying :).
I think this is what you're looking for:
If it's not that, let me know and I'll see what else I can dig up :)
So yes, that's exactly what I'm looking for. Except, I'm using a graphical interface. Isn't there a problem with the version? Because on different tutorials, when we create an import file, it appears directly in source/destination of our rule.
I think there must be a way to apply this file in a rule without using a client ?..
I have the impression, in fact, that my equipment with the 6.0 update is blocking a lot of features... After that, if you assure me that this documentation works, I can try to do it on the 6.0. But it's still a firewall in production
Hm, good question, I don't believe I've ever really tested threat feed in 6.0. But, I have been able to find a bit of relevant documentation for 6.0:
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/183361/configuration#threat-feed - at the bottom, a short snippet on threat feed indicating it can be used in webfilter or DNS filter profiles to block IPs (which you would apply to your regular internet policy for example)
https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/85580/blocking-malicious-domains-using-t... a guide for blocking domains specifically, but blocking IP addresses via threat feed should be basically the same
-> you should still find the threat feed under remote categories, and be able to include it in a profile, set action to block, and use the webfilter/dns profile in your policies.
Hope that helps :)
Created on 12-28-2021 06:50 AM
after reading up the v6.0 Handbook on Fabric connectors, I'd say that in that version you can not use the imported list in IPv4 policies directly (that is, in the source or destination address field). If a DNS filter would suffice, you can do that in v6.0. It will block the IP resolution of FQDNs used for HTTP(S) policies.
Without really being ashamed, I'd like to point to my blog where I offer a Python script for importing arbitrary long IP lists into IPv4 address objects and address groups (https://www.beneicke-edv.de/?page_id=999#ext_blacklists). Maybe it's of help for you, though it's not as elegant as a Fabric connector, as you'd need Python installed and the objects are not updated dynamically.
Ah, I don't think that link works anymore. I get "Diese Seite gibt es leider nicht." when trying to access your link, Ede. I also searched for "python script address", but this did not provide any results either.
You can upload files (like the script) to this thread though :)