I was recently given a list of IP Addresses from the NCUA (Credit Union version of the FDIC) that may be associated with a series of intrusion activities against the financial sector. Is there somewhere in the Fortigate 100C and 60C that this list can be input/added to block these IP Addresses?
I don' t know of a super easy way to block a list of specific IPs without going into Policy & Objects > Objects > Addresses and adding them individually by range or subnet. Then creating a a policy to deny those addresses from coming in the WAN port. I don' t believe there is a way to import a list of IPs into one address object.
You can script it...I would recommend something along the following:
1. Have your list of ips with each IP/subnet on its' own line
2. Using scripting language of your choice, loop through the contents, ie(bash)
for i in $(cat $1); do
echo " edit $i"
echo " set subnet $i"
echo " next"
3. Run the above script with your filename as the argument and it will create an output like this which you can just pipe into another file:
set subnet 22.214.171.124/32
set subnet 126.96.36.199/32
set subnet 188.8.131.52/32
set subnet 184.108.40.206/24
Not the fanciest solution but would at least allow you to get them added in, after this just get into a CLI window and do " config firewall address" and paste in the contents of the output to create them all.
I once had to block a long list of IP addresses which where gathered from a hostsdeny process (unsuccessful login attempts). As there were around 4.000 addresses I had to split them up into address groups with 500 addresses each.
I wrote a python script to do that, to read and recognize the addresses, to create address groups, to fill them up etc.
On a 310B it took some 45 minutes to digest these into the running config, uploaded as bulk script.
There really is no other way.
You can do Warren suggested, but I would caution you, that the smaller unit have a limit number of address you can install. A SOHO model would easily be limited.
What you should do is look at writing a IPS rule building a sensor and apply that imho. Managing a big list of address and blackholing particular ip_address could be a disaster.
When I worked in the DDoS environment we tried maintain botnet list for the financial sector and it was hit & miss.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.