Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tamiatag
New Contributor

Import IP address file

Hello,
I have to block hundreds of IP addresses because of the flaw we all know.
However, I have a version of my fortigate 200D that is in 6.0, the latest version supported by my hardware.
When I import my file with the ips, there is no problem, I see it perfectly. Except that I can't, when I create a rule, find the famous import file to block the ips. Indeed, I have followed dozens of tutorials, but nothing works.
I would need a little help to explain me how to block the ips with my imported file.
Thank you for your help

 

Best regards
22 REPLIES 22
Debbie_FTNT
Staff
Staff

Hey tamiatag,

how did you import the IPs exactly? Did you upload a script, or follow a specific guide?

Most of what I've seen would generate address objects automatically based on imported IPs, so when you create a policy you have to use the address object(s) created by your IP import.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
tamiatag

Thanks for your answer.
In fact, I import my file via the "fabric connectors" menu, creating an "ip address threat feed". My file imports correctly and I see the Ips in it.

However, when I create it, it tells me that it will be visible in "dns", but not in IPV'4. Now, I want to create a firewall rule that blocks all Ips from this file! But in the rule creation, this file does not appear.

Best regards
Debbie_FTNT

Hey tamiatag,

thanks for clarifying :).

I think this is what you're looking for:
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/891236/external-block-list-threat-feed-p...
If it's  not that, let me know and I'll see what else I can dig up :)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
tamiatag

So yes, that's exactly what I'm looking for. Except, I'm using a graphical interface. Isn't there a problem with the version? Because on different tutorials, when we create an import file, it appears directly in source/destination of our rule.

I think there must be a way to apply this file in a rule without using a client ?..

Best regards
tamiatag

i forgot, my OS version is 6.0 and not 6.2 :\

Best regards
tamiatag

I have the impression, in fact, that my equipment with the 6.0 update is blocking a lot of features... After that, if you assure me that this documentation works, I can try to do it on the 6.0. But it's still a firewall in production

Best regards
Debbie_FTNT

Hm, good question, I don't believe I've ever really tested threat feed in 6.0. But, I have been able to find a bit of relevant documentation for 6.0:
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/183361/configuration#threat-feed - at the bottom, a short snippet on threat feed indicating it can be used in webfilter or DNS filter profiles to block IPs (which you would apply to your regular internet policy for example)
https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/85580/blocking-malicious-domains-using-t... a guide for blocking domains specifically, but blocking IP addresses via threat feed should be basically the same
-> you should still find the threat feed under remote categories, and be able to include it in a profile, set action to block, and use the webfilter/dns profile in your policies.

Hope that helps :)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
ede_pfau
Esteemed Contributor III

hi,

after reading up the v6.0 Handbook on Fabric connectors, I'd say that in that version you can not use the imported list in IPv4 policies directly (that is, in the source or destination address field). If a DNS filter would suffice, you can do that in v6.0. It will block the IP resolution of FQDNs used for HTTP(S) policies.

Without really being ashamed, I'd like to point to my blog where I offer a Python script for importing arbitrary long IP lists into IPv4 address objects and address groups (https://www.beneicke-edv.de/?page_id=999#ext_blacklists). Maybe it's of help for you, though it's not as elegant as a Fabric connector, as you'd need Python installed and the objects are not updated dynamically.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Debbie_FTNT

Ah, I don't think that link works anymore. I get "Diese Seite gibt es leider nicht." when trying to access your link, Ede. I also searched for "python script address", but this did not provide any results either.

You can upload files (like the script) to this thread though :)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++