Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
List of IP Addresses
I was recently given a list of IP Addresses from the NCUA (Credit Union version of the FDIC) that may be associated with a series of intrusion activities against the financial sector. Is there somewhere in the Fortigate 100C and 60C that this list can be input/added to block these IP Addresses?
Thank you
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don' t know of a super easy way to block a list of specific IPs without going into Policy & Objects > Objects > Addresses and adding them individually by range or subnet. Then creating a a policy to deny those addresses from coming in the WAN port. I don' t believe there is a way to import a list of IPs into one address object.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was afraid of that. The list is pretty long. That can be a lot of manual entries.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can script it...I would recommend something along the following:
1. Have your list of ips with each IP/subnet on its' own line
2. Using scripting language of your choice, loop through the contents, ie(bash)
#!/bin/bash
for i in $(cat $1); do
echo " edit $i"
echo " set subnet $i"
echo " next"
done
3. Run the above script with your filename as the argument and it will create an output like this which you can just pipe into another file:
edit 1.1.1.1/32
set subnet 1.1.1.1/32
next
edit 2.2.2.2/32
set subnet 2.2.2.2/32
next
edit 3.3.3.3/32
set subnet 3.3.3.3/32
next
edit 4.4.4.0/24
set subnet 4.4.4.0/24
next
etc, etc
Not the fanciest solution but would at least allow you to get them added in, after this just get into a CLI window and do " config firewall address" and paste in the contents of the output to create them all.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I once had to block a long list of IP addresses which where gathered from a hostsdeny process (unsuccessful login attempts). As there were around 4.000 addresses I had to split them up into address groups with 500 addresses each.
I wrote a python script to do that, to read and recognize the addresses, to create address groups, to fill them up etc.
On a 310B it took some 45 minutes to digest these into the running config, uploaded as bulk script.
There really is no other way.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can do Warren suggested, but I would caution you, that the smaller unit have a limit number of address you can install. A SOHO model would easily be limited.
What you should do is look at writing a IPS rule building a sensor and apply that imho. Managing a big list of address and blackholing particular ip_address could be a disaster.
When I worked in the DDoS environment we tried maintain botnet list for the financial sector and it was hit & miss.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is possible in latest version. Follow this article http://itadminguide.com/fortigate-ip-address-feed/ to configure. You may also download tool from www.firewallfeed.com to easily add/remove/view/bulk upload IP address to feed.
My Personal Blog - www.itadminguide.com
My Personal Blog - www.itadminguide.com