| Description | This article describes how to implement an automation stitch to enhance security measures against unauthorized FortiGate access by blocking remote IP addresses associated with 3 bad failed login attempts. |
| Scope | FortiGate. |
| Solution |
Step 1: Create an address group.
In the GUI:
Navigate to Policy & Objects -> Addresses -> Create New -> Address Group -> Enter a name: Admin_Failed_Login -> select OK.
In the CLI:
config firewall addrgrp edit Admin_Failed_Login end
Step 2: Create an automation stitch.
Navigate to Security Fabric -> Automation -> Create New -> supply the name 'Admin_Login_Block'.
Select Add Trigger -> Create -> FortiOS Event Log -> supply the name 'Admin_Login_disabled' -> Open the FortiOS Event Log: Search and add 'Admin login disabled' -> Select OK -> Select Apply.
Select Add Action -> Create -> CLI Script -> Supply the name 'Block_Admin_Failed' -> Enter the script below and select Administrator profile: Super_admin -> Select OK -> Select Apply -> Select OK. config firewall address edit %%log.ui%% set subnet %%log.ui%%/32 end config firewall addrgrp edit Admin_Failed_Login append member %%log.ui%% end
In the CLI:
config system automation-trigger edit "Admin_Login_disabled" set event-type event-log set logid 32021 next end config system automation-action edit "Block_Admin_Failed" set action-type cli-script set script "config firewall address edit %%log.ui%% set subnet %%log.ui%%/32 end config firewall addrgrp edit Admin_Failed_Login append member %%log.ui%% end set accprofile "super_admin" next end
config system automation-stitch edit "Admin_Login_Block" set description "Admin_Login_Block" set trigger "Admin_Login_disabled" config actions edit 1 set action "Block_Admin_Failed" set required enable next end next end Step 3: Create a local in policy.
config firewall local-in-policy edit 0 set intf <WAN_interface> set srcaddr "Admin_Failed_Login" set dstaddr "all" set action deny set service "ALL" set schedule "always" set status enable next end
Result:
In the event of a login disabled because of 3 bad attempts, a trigger will activate, resulting in the creation of an address object for the source IP associated with the unsuccessful attempt. Subsequently, this address object will be included in the 'Admin_Failed_Login' address object group specified in the local in policy. The local in policy, in turn, will enforce the blocking of traffic originating from the identified source IP.
Debugs to verify the automation stitch being triggered:
__action_cli_script_close()-213: cli script action is done. script: config firewall address edit %%log.ui%% set subnet %%log.ui%%/32 end config firewall addrgrp edit Admin_Failed_Login append member %%log.ui%% end output: ########## script name: autod.81, offset: 477########## ========= #1, 2023-12-27 11:42:34 ========== netops $ config firewall address netops (address) $ edit 208.X.X.X netops (208.X.X.X) $ set subnet 208.X.X.X/32 netops (208.X.X.X) $ end netops $ config firewall addrgrp netops (addrgrp) $ edit Admin_Failed_Login netops (Admin_Failed_Login) $ append member 208.X.X.X netops (Admin_Failed_Login) $ end
======= end of #1, 2023-12-27 11:42:34 ======
Disable the debugs by running 'diag debug disable'. |
