FortiAnalyzer show or report Banned IP from Fortigate IPS Sensor (Quarantine action)

ledinscic · ‎06-08-2023

FortiAnalyzer show or report Banned IP from Fortigate IPS Sensor (Quarantine action).

Is there a way to show Banned IP addresses form Fortigate IPS sensor on FAZ and to create report of them.

I don't have access to Fortigate so only trough FAZ I can see what's going on.

Tnx in Advance!

Anthony_E · ‎06-11-2023

Hello,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Anthony-Fortinet Community Team.

Debbie_FTNT · ‎06-12-2023

Hey ledinscic,

I'm not terribly up to date on the matter, but I believe you should be able to see banned/quarantined IPs from FortiGate in FortiAuthenticator SoC/NoC section somewhere.

You might need a Security Fabric integration for this to work properly.

If the FortiGate is only logging to FortiAnalyzer, but not participating in Security Fabric, then there might be log messages about IPs being banned; if they exist, then probably under System Events.

In the FortiOS log reference, I found reference to two log messages, 43776 and 43777, NAC Quarantine and NAC Anomaly Quarantine, for banned IPs, but I couldn't determine if those logs are generated when an IP is banned manually, or only banned based on some rules.

If you can determine what log ID is generated when an IP is banned, you can then set up a report on FortiAnalyzer filtering on that log ID.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

ledinscic · ‎06-12-2023

Hello,

well FortiGate is logging to FortiAnalyzer, and I also have found those 43776 and 43777 in documentation but there is none event in

FAZ regarding this codes neither other words you mentioned.

FOC team send me this image (I don t have access to FG) which precedes quarantine (I think) but also can not find those Attack ID on FAZ:

It would be very helpful to us to have info regarding banned/quarantined IPs cause we have large number of outlets where we have this combination of FG and FAZ.

Can you help please how to achieve that, many thanks for effort.

Debbie_FTNT · ‎06-13-2023

Hey ledinscic,

if you can't even find those attack logs on FortiAnalyzer, then there's very little we can do; I would suspect some logs might be missing on Analyzer then, or are not sent by FortiGate?

In that case, I would suggest opening a ticket with Technical Support to dig into what is going on between FortiGate and FortiAnalyzer.

As I mentioned above, I don't know what logs a FortiGate would generate when an IP is quarantined manually, and setting up a lab to test this would be quite an undertaking.

I can only suggest that you reach out to whoever manages the FortiGate in question, get an exact time they quarantined an IP, and then check the event logs on FortiAnalyzer (System Events, perhaps also Endpoint/Switch-Controller) to see if you can find any log message for the IP being banned/quarantined, and then go from there.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

ledinscic · ‎06-13-2023

Hi, well IP is not quarantined manually it is quarantined by IPS sensor event (critical).

ledinscic · ‎06-13-2023

is there maybe some dataset from Intrusion prevention that show blocked IPs?

ledinscic · ‎06-13-2023

BTW If I may suggest in FAZ there should be i.e. Monitor/Banned IP menu predefined as is in FortiGate, that would solve all problems and this info is also important from us who have only FAZ on disposal for logs and reports.