IBM Security QRadar SOAR

 View Only
  • 1.  Working of Ban IP Function in Firewall

    Posted Fri July 07, 2023 04:14 AM
    Edited by Zain Zafar Fri July 07, 2023 06:43 AM

    Actually I'm confused regarding "IP Ban" function and other functions in Fortigate firewall app. The Firewall app comes with functions and no workflows.

     I had discussion with my network team and they want me to tell them back-end working of function, i mean we will just configure app using API token of fortigate and nothing else, So my question is how the IP Ban function will identify that where it will navigate in Firewall to block IP and what policy it will tamper with to block IP.

    Would appreciate if someone explain this to me. Thanks

  • 2.  RE: Working of Ban IP Function in Firewall

    Posted Sun July 09, 2023 11:23 PM

    The Fortigate app comes with functions only out of box. You will need to create your own workflows using these functions. The only thing you need is the server address of your Fortigate firewall and a token from the Fortigate firewall (in app.config). You can configure the app for multiple Fortigate firewall servers if you like. The BanIP function calls the corresponding Fortigate API using the IP address you want to ban.


  • 3.  RE: Working of Ban IP Function in Firewall

    Posted Mon November 20, 2023 02:52 AM

    Good day Guys

    Hope all is well

    We are using the Forti BAN IP and it is working well.. however I am now struggling to push the banned ip to multiple Fortigates.

    I do add the secondary forti as suggested in the config but when I run the push it does not push the second one but only the first one.

    Any ideas on where or how I should specify for it to use both?


    Arno Pretorius

  • 4.  RE: Working of Ban IP Function in Firewall

    Posted Mon November 20, 2023 08:14 AM

    The fortigate ban_ips function can only push to one forti at a time. To push to two different configured foritgates with one playbook you could create a playbook that looks something like the one in the attached image. Have the function Ban Ips run twice with one function getting the first fortigate firewall label as input for `fortigate_firewall_label` and the second function getting the second fortigate firewall label for its `fortigate_firewall_label` input. 

    Richard Swierk