Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Bgoines
New Contributor

Created on ‎08-29-2014 08:18 AM

List of IP Addresses

I was recently given a list of IP Addresses from the NCUA (Credit Union version of the FDIC) that may be associated with a series of intrusion activities against the financial sector. Is there somewhere in the Fortigate 100C and 60C that this list can be input/added to block these IP Addresses? Thank you
14617
0 Kudos
6 REPLIES 6
jlozen
New Contributor

Created on ‎08-29-2014 10:04 AM

I don' t know of a super easy way to block a list of specific IPs without going into Policy & Objects > Objects > Addresses and adding them individually by range or subnet. Then creating a a policy to deny those addresses from coming in the WAN port. I don' t believe there is a way to import a list of IPs into one address object.
3632
0 Kudos
Bgoines
New Contributor
In response to jlozen

Created on ‎08-29-2014 10:16 AM

I was afraid of that. The list is pretty long. That can be a lot of manual entries.
3632
0 Kudos
Warren_Olson_FTNT
Staff
Staff

Created on ‎08-29-2014 10:53 AM

You can script it...I would recommend something along the following: 1. Have your list of ips with each IP/subnet on its' own line 2. Using scripting language of your choice, loop through the contents, ie(bash) #!/bin/bash for i in $(cat $1); do echo " edit $i" echo " set subnet $i" echo " next" done 3. Run the above script with your filename as the argument and it will create an output like this which you can just pipe into another file: edit 1.1.1.1/32 set subnet 1.1.1.1/32 next edit 2.2.2.2/32 set subnet 2.2.2.2/32 next edit 3.3.3.3/32 set subnet 3.3.3.3/32 next edit 4.4.4.0/24 set subnet 4.4.4.0/24 next etc, etc Not the fanciest solution but would at least allow you to get them added in, after this just get into a CLI window and do " config firewall address" and paste in the contents of the output to create them all.
3632
0 Kudos
ede_pfau
Esteemed Contributor III

Created on ‎09-01-2014 03:01 AM

I once had to block a long list of IP addresses which where gathered from a hostsdeny process (unsuccessful login attempts). As there were around 4.000 addresses I had to split them up into address groups with 500 addresses each. I wrote a python script to do that, to read and recognize the addresses, to create address groups, to fill them up etc. On a 310B it took some 45 minutes to digest these into the running config, uploaded as bulk script. There really is no other way.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
3633
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎09-01-2014 08:32 AM

You can do Warren suggested, but I would caution you, that the smaller unit have a limit number of address you can install. A SOHO model would easily be limited. What you should do is look at writing a IPS rule building a sensor and apply that imho. Managing a big list of address and blackholing particular ip_address could be a disaster. When I worked in the DDoS environment we tried maintain botnet list for the financial sector and it was hit & miss.

PCNSE 

NSE 

StrongSwan  

3632
0 Kudos
Anand_Prabhu
New Contributor
In response to emnoc

Created on ‎10-03-2018 10:57 AM

This is possible in latest version. Follow this article http://itadminguide.com/fortigate-ip-address-feed/ to configure. You may also download tool from www.firewallfeed.com to easily add/remove/view/bulk upload IP address to feed.

My Personal Blog - www.itadminguide.com

3631
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.