With current events, I decided to write a small Ansible / Python script to feed our firewalls with known malicious IPs. I share this script with you through Github ;). I’m using python to format the csv then I use in Ansible to parse the data into the Fortigate firewall. It was written to be used with fortigate, but you are free to adapt it to your firewalls, it’s quite simple with ansible :).

The script is available here : ipset-blocklist-fortigate

How it works ?

It’s quite simple, Download the git project, then, modify the host file and insert your credentials

You have to execute the following command:

ansible-playbook fortigate-blacklist.yml -e url="RAW URL of the blocklist ipset"

You can choose any of the ipset blocklist available on https://github.com/firehol/blocklist-ipsets

Ansible then starts by calling the blacklist-convert.py python script.
The script will download the list,
– Remove unnecessary lines
– Add an header in the csv
– Add an index column in the CSV
– Add a name column in the CSV, with the name of the blocklist + the index.
– Create a CSV with the name of the blocklist

Then the Ansible script takes over:
– Creation of the ‘name’ variable for the address group, according to the CSV
– Creation of subnets / IPs according to the CSV
– Add subnets in the address group.

Current limitations :

• You’re limited by the number of host on Fortigate, you can increase the limits if you want (but you’ll slow down your firewall)
• You’re limited by the number of host you can add in a group (600 on most of firewalls). I’ll created soon a V2 of this script to avoid the script crashing when we have + 600 entries for an addressgroup.

Feel free to comment and share ;)