Blocking indicators
You can block suspicious indicators directly from FortiAnalyzer. This can help you to reduce potential risks and quickly respond to known threats by blocking suspicious IPs, URLs, or domains.
|
To block indicators, you must setup an authorized FortiManager connector for the FortiAnalyzer. See To setup the FortiManager connector on FortiAnalyzer:. |
The Block indicator option is available in:
-
Incidents & Events > Indicators
-
Incidents & Events > Incidents > Incidents
-
Incidents & Events > Incidents > Incidents > Incident Analysis
In Incidents & Events > Indicators, there is a pie chart and column to display the Block Status of the indicators: TBD, Blocked, and Unblocked.
When an indicator is blocked, the Block Status column will initially display Blocked (Pending). In the backend, a playbook called Block_indicator runs every five minutes to send the information to FortiManager. After the playbook is run, the status for the indicator will change to Blocked. The Blocked status on FortiAnalyzer confirms that the list is updated on FortiManager, but it is not synced to the FortiGate.
|
|
When the Block_indicator playbook is successfully run, the blocked indicator will be pushed to FortiManager's External Resource list. This list will be used to create threat feeds, security profiles, and policy blocks on FortiManager to push the policies to the identified FortiGate. It can also be used to update all FortiGates to block the suspicious indicators. |
The External Resource is saved in FortiManager as "<FortiAnalyzer ADOM name>-BLK<indicator-type>". For example the root ADOM's blocked IPs will be named root-BLKIP. For example, see below.
|
|
The FortiManager firmware version must be the same as FortiAnalyzer for the block list to be pushed to FortiGates. |
Indicators can also be unblocked from the FortiAnalyzer GUI. When a blocked indicator is selected in Incidents & Events > Indicators, the Unblock action becomes available in the toolbar and shortcut menu. Unblocking the indicator updates the External Resource on FortiManager by removing the unblocked indicator information. Once complete, the status of the indicator changes to Unblocked.
To setup the FortiManager connector on FortiAnalyzer:
The following configuration is required in the FortiManager CLI before adding a FortiAnalyzer using a fabric connection:
config system csf
set status enable
set accept-auth-by-cert enable
end
Under config system interface, the port's allowaccess setting must include fabric.
For more information, see the FortiManager Administration Guide.
-
In the FortiAnalyzer GUI, go to System Settings > Fabric Management > Fabric Connectors.
-
Double-click the card for the FortiManager connector.
-
In the FortiManager IP/FQDN field, enter the IP of the FortiManager.
-
Toggle the Status to enabled.
-
Click OK and wait for the connection.
-
Once the connection status is Pending Authorization, click Authorize.
-
In the authorization page, select the ADOM to add the FortiAnalyzer to and click Next.
-
After authorizing, the FortiAnalyzer is added to FortiManager under Device Manager > Device & Groups > Managed FortiAnalyzer.
Alternatively, you can authorize the FortiAnalyzer from the FortiManager GUI.
If the FortiManager connector is not setup or if the status is down, the Block option will be grayed out in the Incidents and Indicators panes.
