How can we use FAZ playbook to create dynamic objects and block them from Fortigate?

Potato · ‎05-12-2023

Hi all,

I m trying to achieve one thing:

We find many SSH access to our Fortigate.

But for some reason, we can not use manual local policy or Trust hosts to prevent those attacks.

We have a FAZ and it seems the Playbook might work for this case.

We would like to :

1. When the FAZ finds the FGT event login failed more than 3 three times, create an object for that attacker Ip.
2. Fortigate put that object to a Firewall and both local policy for blocking

Can any one show me few samples if we can achieve it this way?

Thanks in advance!

Stephen_G · ‎05-15-2023

Hello Potato,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Stephen - Fortinet Community Team

Stephen_G · ‎05-16-2023

Hello again Potato,

I talked to one of our engineers, and it unfortunately sounds like what you're thinking of is not currently possible. Because FortiAnalyzer as intended a logging tool, it cannot directly affect policies in FortiGate. As a result, FortiGate policies cannot be created/altered when playbook events are triggered in FortiAnalyzer.

I'm sorry we couldn't help more. Feel free to reach out if you have any further questions.

Kind regards,

Stephen - Fortinet Community Team

srajeswaran · ‎05-16-2023

You may try a python script similar to the one in following discusssion - https://community.fortinet.com/t5/Support-Forum/Automation-SSL-VPN-login-fail-event-gt-Ban-IP/m-p/25...

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

How can we use FAZ playbook to create dynamic objects and block them from Fortigate?

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website