Hi,
I wrote a program with C language. I wanted to know if it is possible to dynamically block IP addresses with firewall API?
Thanks
Anything is possible if you're creative ;)
We take bad players and push these into a predefined address-group by appending the addressbook with the new address. These are done in a batch format. So yes you could take addresses from a source ( file, SIEM,etc....) and push the address to the firewall and then in the addressbook.
So if you build a addrgrp and a fwpolicy at the top of the stack with a deny action, you can easily add and delete entries in that addrgrp. For the delete, we amend the addrgrp, we copy the address to a delete.txt file that is called up every 24hours that delete the bad player address from the group. This allows us to set some type of expiration.
( I know not applicable ) but the Forcepoint NGFW simplifies this by sg-blacklist and this allows you to set expiration per each entry btw. This is a selling point for that product and wich fortiOS would inherit something similar.
So in fortiOS you need to set expiration or do an invert action to remove the entries if you want to set a TTL for blacklist
You have to play with scripting & for calling out the collection and API to accomplish the goal
NOTE: If you do blacklist and with automation, make sure you have some safety-checks and not blacklist your own address or if using fwaddress do it on a /32 prefix. This is from experience and from other customers who always seem to blacklist their own address. Blacklisting a /24 is bad and especially if it is your own /24 ;)
Ken Felix
PCNSE
NSE
StrongSwan
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.