Home / Security / Fortigate / Ansible : Automated Fortigate blocklist ipsets
blocked

Ansible : Automated Fortigate blocklist ipsets

With current events, I decided to write a small Ansible / Python script to feed our firewalls with known malicious IPs. I share this script with you through Github ;). I’m using python to format the csv then I use in Ansible to parse the data into the Fortigate firewall. It was written to be used with fortigate, but you are free to adapt it to your firewalls, it’s quite simple with ansible :).

The script is available here : ipset-blocklist-fortigate

How it works ?

It’s quite simple, Download the git project, then, modify the host file and insert your credentials

You have to execute the following command:

ansible-playbook fortigate-blacklist.yml -e url="RAW URL of the blocklist ipset"

You can choose any of the ipset blocklist available on https://github.com/firehol/blocklist-ipsets

Ansible then starts by calling the blacklist-convert.py python script.
The script will download the list,
– Remove unnecessary lines
– Add an header in the csv
– Add an index column in the CSV
– Add a name column in the CSV, with the name of the blocklist + the index.
– Create a CSV with the name of the blocklist

Then the Ansible script takes over:
– Creation of the ‘name’ variable for the address group, according to the CSV
– Creation of subnets / IPs according to the CSV
– Add subnets in the address group.

Current limitations :

  • You’re limited by the number of host on Fortigate, you can increase the limits if you want (but you’ll slow down your firewall)
  • You’re limited by the number of host you can add in a group (600 on most of firewalls). I’ll created soon a V2 of this script to avoid the script crashing when we have + 600 entries for an addressgroup.

Feel free to comment and share ;)

About Alexandre Nogard

Check Also

Forcepoint : Deploy the SMC on AWS | Part III

Learn how to deploy the Forcepoint SMC & Log Server on AWS behind a NGFW Firewall with a VPC, in a public & private subnet and an Elastic IP

Forcepoint : Deploy the SMC on AWS | Part II

In the first Howto Forcepoint : Deploy the SMC on AWS | Part I, we …

Forcepoint : Deploy the SMC on AWS | Part I

How to deploy Forcepoint SMC (Security Management Center) on AWS ? This is a good …

4 comments

  1. Hi Alexandre,
    you can also use the ‘IP Address’ External connector, and feed it with a file containing the IP adresses you would like to have in an object.

    This is described here :
    https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/891236/external-blocklist-policy

Leave a Reply to Kifeo Cancel reply

Your email address will not be published.