Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
RobertC
New Contributor II

Atutomation: CLI action - grab "Remote IP"

Hello,

I'm trying to grab IP address from the log after ssl-login-fail and create new Firewall->address and append it to existing group using CLI script:

Log event looks like this:

date=2024-01-17 time=11:11:19 id=7325007792115286044 itime="2024-01-17 11:11:19" euid=1049 epid=3 dsteuid=3 dstepid=3 logver=700130566 logid=0101039426 type="event" subtype="vpn" level="alert" action="ssl-login-fail" msg="SSL user failed to logged in" logdesc="SSL VPN login fail" user="admin" remip=5.153.183.36 group="N/A" tunnelid=0 tunneltype="ssl-web" dst_host="N/A" reason="sslvpn_login_permission_denied" eventtime=1705486279485398543 tz="+0100" devid="FG100E4Q17012295" vd="root" csf="TCCM_SF" dtime="2024-01-17 11:11:19" itime_t=1705486279 devname="EDGECLUSTER_FG100E"

 I see that IP address in question is named remip

 

My script follows:

config firewall address
edit %%remip%%_SSL_VPN
set subnet %%remip%% 255.255.255.255
next
end

config firewall addrgrp
edit Banned_SSLVPN
append member %%remip%%
next
end

but the result is nothing, no address entry is created. How can I debug it (or at least check some logs)?

PS: the stitch input is FAZ log

Thanks

Robert

1 Solution
RobertC
New Contributor II

Well,

for the sake of archives....

There is a confirmed bug in FortiAnalyzer 7.2.x, which causes that srcip is not send in the log back to Fortigate so the script trying to grab this value can't work. Recommended solution is to upgrade FAZ to 7.4.x

 

HTH

Robert

View solution in original post

12 REPLIES 12
funkylicious
Contributor III

Hi,

The append should contain, %%remip%%_SSL_VPN object name, since that is what you are creating.

 

L.E. also try %%log.remip%% instead of %%remip%% if it still doesnt work 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Permanently-block-rogue-IPs-from-accessing...

geek
geek
RobertC

Hey,

good catch on that %%remip%%_SSL_VPN object. However I tried with %%log.remip%% and the IP address entry is still not created. I removed that append to group for the moment. Now I'm trying to "Record in console" method, maybe there was some unwanted character as I pasted the script to the field. So far it's still not working.

pminarik

I noticed one additional error.

First you create a new address object named "<remip>_SSL_VPN".
Then you edit the existing address group and try to add a new member to it named "<remip>". In other words, the names don't match.

 

edit: just realized that @Bjay_Prakash_Ghising already highlighted this.

[ corrections always welcome ]
Bjay_Prakash_Ghising
Contributor

Hi RobertC,

 

Your script must add the address into the address group. 

 

In this situation, you need to append %%remip%%_SSL_VPN

config firewall address
edit %%remip%%_SSL_VPN
set subnet %%remip%% 255.255.255.255
next
end

config firewall addrgrp
edit Banned_SSLVPN
append member %%remip%%_SSL_VPN
next
end

 

Please try and let us know. 

 

Hope that helps,

 

Kind Regards, 

Bijay Prakash Ghising

Ghising
Ghising
pminarik
Staff
Staff

Variables that are taken from the triggering log message must always be in the form of %%log.<log-field-name>%%.

 

%%log.remip%%
%%log.user%%

%%log.msg%%

etc.

 

You can refer to the clickable "%" button, it will show you what the variables should look like.

 
[ corrections always welcome ]
Bjay_Prakash_Ghising

Hi pminarik, 

 

Greetings!

 

When I tried to append the source IP from the trigger. It worked for me when I specified %%srcip%%

 

Please find the attached article for your reference. 

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Create-and-append-addresses-into-address-g...

 

[ corrections always welcome ]

 

Kind Regards, 

Bijay Prakash Ghising

 

Ghising
Ghising
pminarik

Interesting! %%log.xyz%% used to be the way to do this, looks like this has changed recently. Thanks for sharing.

[ corrections always welcome ]
RobertC
New Contributor II

Well,

I think that I found the issue. There is a difference in the log entry between what I see in FortiAnalyzer and what's send to automation. I created another action which send me complete %%log%% to my email and there is no %%remip%% at all. Also %%srcip%% = NVA

date=2024-01-17 time=16:05:01 eventtime=1705503901350355562 tz="+0100" logid="0100065300" type="event" subtype="system" level="notice" vd="root" logdesc="Internal Message" ackflag="no" alertid="202401171000000259" logcount="1" alerttime="1705503768" devid="FG100E4Q17012295" devname="FG100E4Q17012295" groupby1="FG100E4Q17012295" groupby2="" groupby3="" readflag="no" severity="medium" subject="devid:FG100E4Q17012295" tag="" triggername="SSL-LOGIN-FAIL-Dataline" vdom="root" epid="3" euid="7458" epip="N\/A" srcip=N\/A epname="" euname="" extrainfo="{ }" ephostname="" epmac="" eposname="" eposversion=""
Bjay_Prakash_Ghising
Contributor

Hi RobertC, 

 

Please note, that it's up to the FAZ handler configuration on how to channel the logs to the FortiGate.

 

If you only filter to send specific logs to the FortiGate then you might miss out on the IP address filed in the log message.

 

If the log doesn't contain or misses the key-value pair (for example, remip=5.153.183.36), then the action will be null. 

 

Hope that helps, 

 

Kind Regards, 

Bijay Prakash Ghising

 

 

Ghising
Ghising
Labels
Top Kudoed Authors