IBM Security Join our 16,000+ members as we work together to overcome the toughest challenges of cybersecurity. Join the Community
Actually I'm confused regarding "IP Ban" function and other functions in Fortigate firewall app. The Firewall app comes with functions and no workflows.
I had discussion with my network team and they want me to tell them back-end working of function, i mean we will just configure app using API token of fortigate and nothing else, So my question is how the IP Ban function will identify that where it will navigate in Firewall to block IP and what policy it will tamper with to block IP.
Would appreciate if someone explain this to me. Thanks
The Fortigate app comes with functions only out of box. You will need to create your own workflows using these functions. The only thing you need is the server address of your Fortigate firewall and a token from the Fortigate firewall (in app.config). You can configure the app for multiple Fortigate firewall servers if you like. The BanIP function calls the corresponding Fortigate API using the IP address you want to ban.
Good day Guys
Hope all is well
We are using the Forti BAN IP and it is working well.. however I am now struggling to push the banned ip to multiple Fortigates.
I do add the secondary forti as suggested in the config but when I run the push it does not push the second one but only the first one.
Any ideas on where or how I should specify for it to use both?
The fortigate ban_ips function can only push to one forti at a time. To push to two different configured foritgates with one playbook you could create a playbook that looks something like the one in the attached image. Have the function Ban Ips run twice with one function getting the first fortigate firewall label as input for `fortigate_firewall_label` and the second function getting the second fortigate firewall label for its `fortigate_firewall_label` input.