We have a number of FortiGate firewalls that we want to create the same Geo Block Group holding a fairly long list of countries to block. We don’t have a FortiManager. Does someone have a script to generate this geo block group on the firewalls from a list of countries? I have found scripts to create a group of IP address but not geo group lists.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
I am looking at this KB: How to block by country or geolocation - Fortinet Community
Are you after creating a group for these countries that needs to be blocked same as in the link?
1. Go to Policy&Object -> addresses and then select 'create' and 'new address'.
Thank you both for your posts. We have previously created geo block lists using these steps successfully. We would like to find a more efficient way to create these lists. If we have say 50 countries that we would like to include in these lists, and we need to do this on a dozen different firewalls, we are concerned that it may take 30 minutes per firewall, or a total of 6 hours to accomplish this on all firewalls. We would like to be able to create a script that would take a text based list of countries (either the complete country name or the 2 digit country code) and add this in one step to a firewall saving a considerable amount of time.
Our input could look like:
Afghanistan
Aland Islands
Albania
Or it might could instead list the country 2 digit codes:
AF
AX
AL
If this works, we would then possibly later modify the block list group by rerunning the script replacing the previous block list group with the newly modified block list group.
Hi @SecurityPlus,
You can copy the configuration from the CLI of one FortiGate to another. You can configure it on one FortiGate and copy the CLI configuration. You need to copy address objects before the address group. For example:
config firewall address
edit "Angola"
set type geography
set country "AO"
next
end
config firewall addrgrp
edit "Blocked_countries"
set member "Angola"
next
end
Regards,
Thanks hbac. This might be a useful solution. I don't know who to copy from one firewall configuration and paste into another firewall configuration. Is there a document that gives further explanation concerning this process? Is it necessary to reboot the firewall onto which we copy this address group?
Would it likewise be possible to replace an existing geo address group titled Blocked_countries with an updated group by the same name?
Hi SecurityPlus
To make things easier, I've created batch files for all countries and offer them on my website:
https://www.beneicke-edv.de/support/tools/#all_countries_addressgroup
You can either go 'white listing' (allow some, block all others) or 'blacklisting' (block some, allow all others). The batch files are plain text and can be edited easily, so that you can start with the full set and cut out some country codes to your liking.
Hello @SecurityPlus
You can check this article and download the zip file which has text files to add all countries address object into FortiGate via script.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Script-to-create-Address-objects-and-one-a...
Regards,
salmas
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1720 | |
1093 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.