I was asking you to do it as a test. I was looking to see if it works when the IP address does not have a subnet mask attached to it.
To your point, if an incident occurs that contains a malicious IP address, it would be just an IP address and not an IP address/subnet mask. Your test was with an IP address/subnet mask and not just an IP address.
Original Message:
Sent: Mon February 26, 2024 09:42 AM
From: benlinux
Subject: Fortigate Ban IP Playbook
Hello Richard,
Thank you for your response. I dont think it makes sense to manually create an IP address on fortigate before initiating this playbook. Because if an incident occurs that contains a malicious IP address, would a soc analyst be telling the fortigate admin to create the IP address before they can initiate the playbook "Fortigate Ban IPs"
------------------------------
benlinux
Original Message:
Sent: Mon February 26, 2024 07:39 AM
From: Richard Swierk
Subject: Fortigate Ban IP Playbook
Hello, could you please try creating a new IP address on Fortigate that does not have a subnet mask and then run the playbook using that IP address.
------------------------------
Richard Swierk
Original Message:
Sent: Mon February 26, 2024 03:08 AM
From: benlinux
Subject: Fortigate Ban IP Playbook
Hello expert,
I will appreciate any help here.
Regards,
------------------------------
benlinux
Original Message:
Sent: Fri February 23, 2024 10:55 AM
From: benlinux
Subject: Fortigate Ban IP Playbook
Hello Richard,
Thank you for your response. I have used another playbook "Fortigate Create address" to create an address with I(P address/subnet mask). eg 10.10.10.8/32.
After confirming that this address exists on the Fortigate, I created an Artifact (type IP address) with this value "10.10.10.8", and I got the same error.
Note the artifact type ip address does not accept ip/subnet mask.eg 10.10.10.8/32
Regards,
------------------------------
benlinux
Original Message:
Sent: Fri February 23, 2024 09:48 AM
From: Richard Swierk
Subject: Fortigate Ban IP Playbook
When the playbooks input script gets the value from an artifact of type "IP Address" it will return a string value.
Is the IP address that you are using as input when running this playbook present on your Fortigate server? If the IP address is not present on your Fortigate server, then running this playbook will result in an error.
------------------------------
Richard Swierk
Original Message:
Sent: Fri February 23, 2024 02:09 AM
From: benlinux
Subject: Fortigate Ban IP Playbook
Hello experts,
I have integrated my Fortigate Firewall to QRadar SOAR successfully. I have also tested few playbooks and they work fine. However, the Fortigate Ban IP is not working.
I tested using the following approach:
I created an artifact of type IP address, and triggered the playbook "Fortigate Ban IP". The Playbook completes without any error, but gives the below message in the Note tab
FortiGate failed with reason: "Status Code: 403, {'http_method': 'POST', 'status': 'error', 'http_status': 403, 'vdom': 'root', 'path': 'user', 'name': 'banned', 'action': 'add_users', 'serial': '****', 'version': v***, 'build': ***}"
I have a concern here, reviewing the playbook "Fortigate Ban IPs", it shows that the Fortigate_addresses (as shown in the screen shot) should be of text artifact type, but when you create a "String" artifact type , the Playbook "Fortigate Ban IPs" is not available to be selected.
I will appreciate if someone can help me on how to test the "Fortigate Ban IPs" playbook.
Regards,
------------------------------
benlinux
------------------------------