Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
joaquin_molina
New Contributor

Manage blacklist in CLI

First of all, thanks for the help.

 

I do not use Fortinet much, but I have a problem handling a simple Blacklist.

 

My idea is to connect SIEM, Fail2ban, TOR exit nodes and other internal systems to Fortigate via SSH. Create a policy, a group of addresses and run, as is done with other manufacturers.

I've mounted a script that does that, it passes an ip, and creates it as an object and puts it in a group:

 

https://github.com/kinomakino/Ban-ip-Bash-Scripts/blob/master/ban_fortinet.sh

 

Now I have several problems:

 

1.- the maximum limits for Fortigat in groups of addresses is 300. VERY LOW.

If for example I want to block all the nodes out of the TOR network every night (one of the things I need to implement in Forti) I can not do it.

 

2.- In the case of making a "stack", I do not know how to list in CLI the current ip addresses in a group and have that data in bash to handle loops and conditions.

 

3.- I can not "remove" all the ip addresses of a group from CLI, because it tells me that they are in use (by the policy). If I follow this path, I would have to delete policy, delete group, delete ip and re-generate it All in CLI, all that in bash ... something complex. Also, I have the ID problem of the policy that would not always be the same and I would have to calculate it.

 

How are you doing this management? The one of maintaining an external blacklist for the typical bans of bots, portscans,etc.

Thanks for all !!!

1 Solution
ede_pfau
Esteemed Contributor III

I've written a page on my website for FortiOS tools and added the 'iplist2forti.py' script for starters.

You can find the page here.


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Ede"Kernel panic: Aiee, killing interrupt handler!"
8 REPLIES 8
tanr
Valued Contributor II

Sounds like a complex situation, and one where a bug in the script could leave you locked out.

 

Just a thought on #3, though.  What if instead of using a regular security policy to block the various IPs you instead used local-in policies?  That would mean less overhead for the FortiGate, and I think (though I'm not sure) you could remove the local-in policies before deleting or changing the groups they referred to.  Your scripts would need to keep track of the specific policy numbers they created.

 

Note that incorrectly set local-in policies can leave you even more locked out of the system - I personally would not want to write a script that would change them.  You can search the forums to references about local-in policy.  Basic documentation at http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-firewall-52/Concepts/Security%20Polic....

 

ede_pfau
Esteemed Contributor III

@tanr:

local-in policies control traffic with destination "Fortigate". Not traffic flowing through the FGT. So no option here.

 

I've implemented what you're planning a couple of years ago, in Python. Input was a list of IPs to block from hostsdeny. Yes, there are limits of addresses per group, depending on the hardware used (the FGT model). And there's a limit for the total number of address objects.

You get by these limits by using groups in groups.

I found I could not 'read' the actual content of the blocking address group. So, I kept the last input and used it to delete all the addresses before creating the new ones. All in CLI, that is, using batch command.

Don't worry about deleting all addresses in a group: I introduced a 'dummy' address which will always remain so the address group never is totally depopulated.

The blocking policy only needs to be set up once and never changes. Source address is the super-group of address groups generated.

IIRC the final list held about 4.000 addresses and reading it in took 40 minutes on a 310B, running v4.3.

So now you know it can be done.

 

I should publish the Python script on my website...time's lacking.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
joaquin_molina

Thank you both for the help.

Before answering. What is the "position" or technique of OFFICIAL FORTIGATE to maintain an external blacklist? It's not that weird. Another thing is that people do not, but in my security work and in other manufacturers is very simple ... That said:

 

joaquin_molina

Thanks. 

Thanks for the help. I am making a bash so that every time an input is made I keep it in a list. A loop that does a count, and then delete the inputs from the list, but I have problems with removing an ip from a group.

Would you tell me the command?

Thank you !!!

ede_pfau
Esteemed Contributor III

I've written a page on my website for FortiOS tools and added the 'iplist2forti.py' script for starters.

You can find the page here.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
joaquin_molina

the script is unavaible to download.

thanks a lot

ede_pfau
Esteemed Contributor III

sorry, I've been working on it as my CMS prevents downloading .py files. I've renamed it to 'iplist2forti.txt' and it looks like it works now.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
joaquin_molina

thanks a lot. you are my lider !!!

Labels
Top Kudoed Authors