I would like to leverage the automation in security fabric to ban IP's that are trying to connect with the username "administrator". I've made a trigger with the event "SSL VPN login fail" with the field filter user:administrator:
I've then created an IP Ban Action, that looks like this:
The problem is, I can't stich the trigger with the action to create an automation stitch. When I go to select the Action, it doesn't appear in the list:
Does anyone know what I do wrong and how I could achieve banning an IP, if there is a connection attempt with a certain user name?
thank you for your response and the link. Hmm that's too bad.
Do you know how I could block the IP's that try to connect with the user administrator in a automated manner? Of course I could write scripts that parse these events and create objects that I put in a rule that denies the traffic, but that would create so many unnecessary objects, that I would like to avoid that.
I see you can call IP-BAN action along with FortiAnalyzer event-handler as trigger. I have not tested this, but can you try creating an even-handler on your FortiAnalyzer for VPN login failures and then use that in FGT stitch?
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
thank you for your suggestion. Unfortunately we don't have the FortiAnalyzer, so that isn't an option for me.
I've done it in a (suboptimal) way.
I download the events that contain the message "SSL user failed to logged in" from the fortigate logs and then run this python script. This prints the commands that I can run on the firewall to ban the IP's indefinitely.
vpn_events_file_path = "/mnt/c/temp/vpn_events.log"
list = 
def find_between(s, first, last):
start = s.index(first) + len(first)
end = s.index (last, start)
return " "
with open(vpn_events_file_path, "r") as events:
lines = events.readlines()
for line in lines:
if ('user="administrator"' in line):
remip = find_between(line,'remip=',' user')
if (not remip in list):
for item in list:
ban_config = 'diagnose user quarantine add src4 ' + item + ' indefinite admin'
I'll probably do this manually every day until I either implement a FortiAnalyzer or find a better way to do it.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.