Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ledinscic
New Contributor

Created on ‎06-08-2023 11:11 PM

FortiAnalyzer show or report Banned IP from Fortigate IPS Sensor (Quarantine action)

FortiAnalyzer show or report Banned IP from Fortigate IPS Sensor (Quarantine action).

 

Is there a way to show Banned IP addresses form Fortigate IPS sensor on FAZ and to create report of them.

I don't have access to Fortigate so only trough FAZ I can see what's going on.

 

Tnx in Advance!

Labels:
2157
0 Kudos
7 REPLIES 7
Anthony_E
Community Manager
Community Manager

Created on ‎06-11-2023 08:58 PM

Hello,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
2119
0 Kudos
Debbie_FTNT
Staff
Staff

Created on ‎06-12-2023 04:59 AM

Hey ledinscic,

I'm not terribly up to date on the matter, but I believe you should be able to see banned/quarantined IPs from FortiGate in FortiAuthenticator SoC/NoC section somewhere.

You might need a Security Fabric integration for this to work properly.

 

If the FortiGate is only logging to FortiAnalyzer, but not participating in Security Fabric, then there might be log messages about IPs being banned; if they exist, then probably under System Events.

In the FortiOS log reference, I found reference to two log messages, 43776 and 43777, NAC Quarantine and NAC Anomaly Quarantine, for banned IPs, but I couldn't determine if those logs are generated when an IP is banned manually, or only banned based on some rules.

 

If you can determine what log ID is generated when an IP is banned, you can then set up a report on FortiAnalyzer filtering on that log ID.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
2104
0 Kudos
ledinscic
New Contributor

Created on ‎06-12-2023 06:31 AM

Hello,

 

well FortiGate is logging to FortiAnalyzer, and I also have found those 43776 and 43777 in documentation but there is none event in

FAZ regarding this codes neither other words you mentioned.

 

FOC team send me this image (I don t have access to FG) which precedes quarantine (I think) but also can not find those Attack ID on FAZ:

ledinscic_0-1686576664003.png

 

 

 

It would be very helpful to us to have info regarding banned/quarantined IPs cause we have large number of outlets where we have this combination of FG and FAZ.

 

Can you help please how to achieve that, many thanks for effort.

2098
0 Kudos
Debbie_FTNT
Staff
Staff
In response to ledinscic

Created on ‎06-13-2023 12:45 AM

Hey ledinscic,

 

if you can't even find those attack logs on FortiAnalyzer, then there's very little we can do; I would suspect some logs might be missing on Analyzer then, or are not sent by FortiGate?

In that case, I would suggest opening a ticket with Technical Support to dig into what is going on between FortiGate and FortiAnalyzer.

 

As I mentioned above, I don't know what logs a FortiGate would generate when an IP is quarantined manually, and setting up a lab to test this would be quite an undertaking.

I can only suggest that you reach out to whoever manages the FortiGate in question, get an exact time they quarantined an IP, and then check the event logs on FortiAnalyzer (System Events, perhaps also Endpoint/Switch-Controller) to see if you can find any log message for the IP being banned/quarantined, and then go from there.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
2085
0 Kudos
ledinscic
New Contributor

Created on ‎06-13-2023 01:29 AM

Hi, well IP is not quarantined manually it is quarantined by IPS sensor event (critical).

 

2079
0 Kudos
ledinscic
New Contributor

Created on ‎06-13-2023 01:52 AM

is there maybe some dataset from Intrusion prevention that show blocked IPs?

2075
0 Kudos
ledinscic
New Contributor

Created on ‎06-13-2023 11:02 PM

BTW If I may suggest in FAZ there should be i.e. Monitor/Banned IP menu predefined as is in FortiGate, that would solve all problems and this info is also important from us who have only FAZ on disposal for logs and reports.

2042
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.