Hi
We have a case where we need to block IP of SSL VPN login fail for an amount of attempts within like 5-10minutes repeated attempts using automation stitch.
We already have the FortiAnalyzer and Fortigate Setup. The only problem we have is that the FortiAnalyzer is giving the wrong value in the $remip variable in the FortiGate Event Handler
An example of IP 192.168.1.1 becomes 192.168.1.1,,
With two commas in which the FortiGate CLI does not accept
What possible solution will be able to be done to get the IP without commas or sanitize the string in the CLI script?
Or make sure that FortiAnalyzer is giving the correct IP format?
Hi
You don't need automation stitch for that.
Hi,
This is only limiting the duration of each attempt. Our desired goal is to permanently block these IP if they violate our conditions, and manually validate if they are coming from a valid IP user.
FortiAnalyzer is already able to fetch the remote IP. And Fortigate is able to get that using EventHandler, the IP just need to be properly formatted.
Hi maplesyrup,
How did you manage to block the IP address that made, for example, 3 incorrect attempts at a certain interval, using automation stitching? I found an automation configuration as follows, but it blocks the IP on the first incorrect attempt.
Sounds like a bug in FortiAnalyzer. Have you reported it?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.