Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Bgoines
New Contributor

List of IP Addresses

I was recently given a list of IP Addresses from the NCUA (Credit Union version of the FDIC) that may be associated with a series of intrusion activities against the financial sector. Is there somewhere in the Fortigate 100C and 60C that this list can be input/added to block these IP Addresses? Thank you
6 REPLIES 6
jlozen
New Contributor

I don' t know of a super easy way to block a list of specific IPs without going into Policy & Objects > Objects > Addresses and adding them individually by range or subnet. Then creating a a policy to deny those addresses from coming in the WAN port. I don' t believe there is a way to import a list of IPs into one address object.
Bgoines
New Contributor

I was afraid of that. The list is pretty long. That can be a lot of manual entries.
Warren_Olson_FTNT

You can script it...I would recommend something along the following: 1. Have your list of ips with each IP/subnet on its' own line 2. Using scripting language of your choice, loop through the contents, ie(bash) #!/bin/bash for i in $(cat $1); do echo " edit $i" echo " set subnet $i" echo " next" done 3. Run the above script with your filename as the argument and it will create an output like this which you can just pipe into another file: edit 1.1.1.1/32 set subnet 1.1.1.1/32 next edit 2.2.2.2/32 set subnet 2.2.2.2/32 next edit 3.3.3.3/32 set subnet 3.3.3.3/32 next edit 4.4.4.0/24 set subnet 4.4.4.0/24 next etc, etc Not the fanciest solution but would at least allow you to get them added in, after this just get into a CLI window and do " config firewall address" and paste in the contents of the output to create them all.
ede_pfau
Esteemed Contributor III

I once had to block a long list of IP addresses which where gathered from a hostsdeny process (unsuccessful login attempts). As there were around 4.000 addresses I had to split them up into address groups with 500 addresses each. I wrote a python script to do that, to read and recognize the addresses, to create address groups, to fill them up etc. On a 310B it took some 45 minutes to digest these into the running config, uploaded as bulk script. There really is no other way.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
emnoc
Esteemed Contributor III

You can do Warren suggested, but I would caution you, that the smaller unit have a limit number of address you can install. A SOHO model would easily be limited. What you should do is look at writing a IPS rule building a sensor and apply that imho. Managing a big list of address and blackholing particular ip_address could be a disaster. When I worked in the DDoS environment we tried maintain botnet list for the financial sector and it was hit & miss.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Anand_Prabhu

This is possible in latest version. Follow this article http://itadminguide.com/fortigate-ip-address-feed/ to configure. You may also download tool from www.firewallfeed.com to easily add/remove/view/bulk upload IP address to feed.

My Personal Blog - www.itadminguide.com

My Personal Blog - www.itadminguide.com
Labels
Top Kudoed Authors