With current events, I decided to write a small Ansible / Python script to feed our firewalls with known malicious IPs. I share this script with you through Github ;). I’m using python to format the csv then I use in Ansible to parse the data into the Fortigate firewall. It was written to be used with fortigate, but you are free to adapt it to your firewalls, it’s quite simple with ansible :).
The script is available here : ipset-blocklist-fortigate
How it works ?
It’s quite simple, Download the git project, then, modify the host file and insert your credentials
You have to execute the following command:
ansible-playbook fortigate-blacklist.yml -e url="RAW URL of the blocklist ipset"
You can choose any of the ipset blocklist available on https://github.com/firehol/blocklist-ipsets
Ansible then starts by calling the blacklist-convert.py python script.
The script will download the list,
– Remove unnecessary lines
– Add an header in the csv
– Add an index column in the CSV
– Add a name column in the CSV, with the name of the blocklist + the index.
– Create a CSV with the name of the blocklist
Then the Ansible script takes over:
– Creation of the ‘name’ variable for the address group, according to the CSV
– Creation of subnets / IPs according to the CSV
– Add subnets in the address group.
Current limitations :
- You’re limited by the number of host on Fortigate, you can increase the limits if you want (but you’ll slow down your firewall)
- You’re limited by the number of host you can add in a group (600 on most of firewalls). I’ll created soon a V2 of this script to avoid the script crashing when we have + 600 entries for an addressgroup.
Feel free to comment and share ;)
you can also use the ‘IP Address’ External connector, and feed it with a file containing the IP adresses you would like to have in an object.
This is described here :
I tried to use the blocklist from firehol on the 7.0.5, but it’s not working. I’ve to check how it works :D
It basically just has to be a text file with one IP (or domain) on each line, otherwise the external feeds will just give your an error. Proofpoint along with this one from CINS work: http://cinsscore.com/list/ci-badguys.txt
Malshare has a compatible AV feed.