1.- the maximum limits for Fortigat in groups of addresses is 300. VERY LOW.
If for example I want to block all the nodes out of the TOR network every night (one of the things I need to implement in Forti) I can not do it.
2.- In the case of making a "stack", I do not know how to list in CLI the current ip addresses in a group and have that data in bash to handle loops and conditions.
3.- I can not "remove" all the ip addresses of a group from CLI, because it tells me that they are in use (by the policy). If I follow this path, I would have to delete policy, delete group, delete ip and re-generate it All in CLI, all that in bash ... something complex. Also, I have the ID problem of the policy that would not always be the same and I would have to calculate it.
How are you doing this management? The one of maintaining an external blacklist for the typical bans of bots, portscans,etc.
Sounds like a complex situation, and one where a bug in the script could leave you locked out.
Just a thought on #3, though. What if instead of using a regular security policy to block the various IPs you instead used local-in policies? That would mean less overhead for the FortiGate, and I think (though I'm not sure) you could remove the local-in policies before deleting or changing the groups they referred to. Your scripts would need to keep track of the specific policy numbers they created.
local-in policies control traffic with destination "Fortigate". Not traffic flowing through the FGT. So no option here.
I've implemented what you're planning a couple of years ago, in Python. Input was a list of IPs to block from hostsdeny. Yes, there are limits of addresses per group, depending on the hardware used (the FGT model). And there's a limit for the total number of address objects.
You get by these limits by using groups in groups.
I found I could not 'read' the actual content of the blocking address group. So, I kept the last input and used it to delete all the addresses before creating the new ones. All in CLI, that is, using batch command.
Don't worry about deleting all addresses in a group: I introduced a 'dummy' address which will always remain so the address group never is totally depopulated.
The blocking policy only needs to be set up once and never changes. Source address is the super-group of address groups generated.
IIRC the final list held about 4.000 addresses and reading it in took 40 minutes on a 310B, running v4.3.
So now you know it can be done.
I should publish the Python script on my website...time's lacking.
Before answering. What is the "position" or technique of OFFICIAL FORTIGATE to maintain an external blacklist? It's not that weird. Another thing is that people do not, but in my security work and in other manufacturers is very simple ... That said:
Thanks for the help.
I am making a bash so that every time an input is made I keep it in a list.
A loop that does a count, and then delete the inputs from the list, but I have problems with removing an ip from a group.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.