Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fortimaster
Contributor II

Created on ‎03-09-2025 04:12 AM

Stitch to ban IP when an anomaly occurs, but using a count number.

Hi all,

I would like to ban some IPs when an DoS attack ocurrs. I'm trying to do that using stitch, and "anomaly logs" trigger action. The problem is that I cannot stablish a count number or filter whith "anomaly logs". I don't want to ban an IP when is detected for first time by my DoS policy. I would like to ban it when it is detected, for example, 10 times during an attack. 

 

That is the problem: I can't use event filter or count for anomaly trigger. If I try to create a custom trigger, I cannot find the log ID 0720018432 or similar, to can customize it.

 

Could you help me to create an automation trigger to detect malicious IP during an DoS attack? I need an IP to appear several times and I don't know how to set this counter, so as not to ban it the first time (it could be from someone who doesn't belong to the attack).

1-->An IP appears X times in a short time several times with "anomaly event".

2-->Foritigate ban IP (quarantine).

 

Is it possible?

 

Thanks ¡¡¡

Labels:
134
0 Kudos
2 REPLIES 2
Anthony_E
Community Manager
Community Manager

Created on ‎03-11-2025 10:45 PM

Hello,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
105
0 Kudos
Anthony_E
Community Manager
Community Manager

Created on ‎03-14-2025 01:51 AM

To create an automation stitch in FortiGate that bans an IP address when an anomaly occurs based on a count number:

  1. Create an Automation Trigger:Go to the FortiGate GUI. Navigate to `Security Fabric` -> `Automation`. Click on `Create New` to set up a new automation trigger. Define the trigger conditions based on the specific anomaly event you want to monitor. Use field filters to specify the event type and set a threshold for the count number.
  2. Configure the Trigger Conditions: Specify the event log name related to the anomaly. Use field filters to narrow down the logs to the specific anomaly. Set a condition to trigger the action when the count of the anomaly exceeds a certain number.
  3. Create an Automation Action: Still under `Security Fabric` -> `Automation`, create a new action. Choose `Ban IP` as the action type. Configure the action to ban the source IP address from the event log.
  4. Link the Trigger and Action: Create a new automation stitch. Select the previously created trigger and action. Save the stitch to activate it.

This setup will automatically ban an IP address when the specified anomaly occurs and exceeds the defined count threshold.

Anthony-Fortinet Community Team.
73
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.