IP Ban action
Configure an IP Ban action so that the illegal IP addresses recorded in logs can be sent to FortiGate. FortiGate will then add them to its IP Ban list. When requests from the same IP address come again in the future, FortiGate can block them directly. This is useful when FortiGate is deployed in front of FortiWeb, as it enables malicious IP to be blocked at the first point of entry.
However, FortiGate by default only blocks the IP Ban address for 10 minutes (though you can configure it for a longer block period in FortiGate). If you want FortiWeb to continue blocking the IP address after 10 minutes, using an CLI Script action to add the source IP to the Block IP address list in FortiWeb will achieve this.
Refer to Use case: Automatic IP banning.
Prerequisite
You have a REST API administrator account in FortiGate and have the token ready. For more information, see REST API administrator in "FortiGate/FortiOS Administration Guide".
To create an IP Ban action:
- Log in to FortiWeb.
- Go to Security Fabric > Automation.
- Select the Action tab.
- Click Create New.
- Select IP Ban.
- Enter a name and description.
- Enter the API Token for the FortiGate REST API administrator account.
- Enter the URL to access FortiGate, e.g. "https://1.1.1.1:443".
- Click OK.
The IP Ban action should be used together with the FortiWeb Log trigger. Source IP addresses in the specified logs will be sent to FortiGate's IP Ban list.