Every couple minutes I query a few endpoints to gather a list of ipv4 public addresses for all of our remote work employees. These employees often travel and have ISPs that issue dynamic addresses, so this list will be dynamic.
I'm hesitant in creating a address group because this could be several thousand addresses. Not only that, address groups touch the firewall ssd/hdd drive so I worry that modifying addresses groups once a minute could be a heavy task on the firewall.
I'm wanting to use the External Connector Threat IP Feed as a whitelist on our SSLVPN portal. In the event that the .txt file can't be retrieved, this would need to fail open (allow all). I've tried forcing it to fail (changing the endpoint so it'll time out), but the log doesn't indicate it failed, thus I'm not able to use the Automation feature.
Any ideas on this?
I am just trying to understand the requirement in a better way, when you say you are querying end points public address , they are already connected successfully to the VPN. What can the whitelist do now, as the users are already authenticated/connected?
No I'm querying endpoints like the FortiEMS. We manually install the FortiEMS on employee computers, so the public ip addresses that are successfully registered to the FortiEMS are the addresses that I want to use in this white list. All I have to do is query the FortiEMS to get a list of active client addresses.
Dear Alanrs,
I believe using the external connector IP address threat feed should be feasible to utilize a dynamic list for your whitelist. Then in the event that the FortiGate failed to retrieve/update its thread feed, you can set an automation to allow all IPs into your SSLVPN instead.
The idea is to configure a trigger event ID 22221 (Threat feed update failed), then set an action to modify the "source-address" of the SSLVPN settings via CLI to "any".
I hope I understood your query.
Regards,
Denice
Q address groups touch the firewall ssd/hdd drive so I worry that modifying addresses groups once a minute could be a heavy task on the firewall.
Sol: This option is not resource-intensive and you can build the address group(s) . Firewall CPU and memory consumption can be monitored after the implementation.
However, you can still use the threat feed along with the custom IP group that can be built using something similar to this article.
In case the threat feed fails, you can use your custom block list build by using the following article
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.