Configure Simple Response for Fortinet FortiGate: Block External IP Address

Configure a Fortinet FortiGate: Block External IP Address simple response to block IP addresses in an incident with FortiGate. The response adds each IP address to an address group that must already exist in your FortiGate. You can then use the address group in a firewall policy to block IP addresses based on Alert Logic's recommendations automatically.

A typical use case for this response is to reduce opportunities for an identified attacker to probe your network further.

Complete the following steps to successfully configure this simple response:

  1. Identify or create a FortiGate address group
  2. Add the address group to a FortiGate firewall policy
  3. (Optional) Create an exclusion list in the Alert Logic console
  4. Choose the response
  5. Connect to Fortinet FortiGate NGFW
  6. (Optional) Apply exclusions
  7. Choose when to respond

Identify or create a FortiGate address group

The Fortinet FortiGate: Block External IP Address simple response adds IP addresses based on Alert Logic's recommendations to a FortiGate address group. The address group must already exist in FortiGate before you create the simple response in the Alert Logic console.

For more information about address groups, see the Fortinet document Address groups.

To identify or create an address group in FortiGate:

  1. Go to the FortiGate GUI, select Policy & Objects, and then select Addresses.
  2. Scroll down to Address Group to view the list.
  3. If you do not see an address group that you want the simple response to update, select the down arrow next to Create New, and then select Address Group. Follow instructions in the Fortinet document Address groups to complete the configuration.
    Alert Logic recommends that you create an address group for the response to use. This practice avoids confusion about who is managing additions and removals.
  4. Note the name of the address group for later use.

Add the address group to a FortiGate firewall policy

If you want to use the simple response to block IP addresses based on Alert Logic recommendations, add the address group to a new or existing firewall policy, if you have not done so already, in the FortiGate GUI. As the simple response adds IP addresses to the address group, the firewall policy that references the address group then blocks the IP addresses automatically.

For details about configuring a FortiGate firewall policy, see the Fortinet document Firewall policy parameters. When setting it up, enter the address group as the source for a DENY action in the policy.

(Optional) Create an exclusion list in the Alert Logic console

If you want your automation to exclude specific IP addresses, the IP addresses must be defined in one or more exclusion lists. For example, you can create lists of IP addresses for services such as public addresses of your data centers, VPN endpoints, and external scanners. During the simple response creation process, a step is available to apply exclusion lists to your automation. If a list you want to apply does not exist already, use the instructions in Exclusions to create it now.

Choose the response

  1. In the Alert Logic console, click the navigation menu icon (), click Respond, and then click Automated Response.

  2. On the Simple Responses page, click the add icon (), and then, under Fortinet FortiGate: Block External IP Address, click START.

Connect to Fortinet FortiGate NGFW

This response requires a Fortinet FortiGate NGFW connection that grants Alert Logic access to update an address group. In the Connect step, name your response and connect to Fortinet FortiGate NGFW as follows.

To connect to Fortinet FortiGate NGFW:

  1. In Response Name, enter a descriptive name for your simple response (example: Block Attacker IP Address).
  2. If you already have a Fortinet FortiGate NGFW connection that grants Alert Logic permission to perform this response, leave Use an existing connection selected, and then select the connection in Connection. You can use the search bar to help you find the connection.
  3. If you do not have a Fortinet FortiGate NGFW connection that grants Alert Logic permission to perform this response, click Create a connection, and then complete the instructions in Create a Fortinet FortiGate NGFW connection to set it up.
  4. In Group Name, enter the name of the FortiGate address group noted in Identify or create a FortiGate address group.
  5. In Expiration in Seconds, enter the number of seconds before you want Alert Logic to deactivate the block, or keep the default value of 604800.
  6. Click TEST to run a test that checks the configuration without performing the response. The test might take one to two minutes to complete. Results appear in a message.
    • If the result is Succeeded, continue to the next step in this procedure.
    • If the result is Failed, use the listed errors to assist with troubleshooting. If necessary, you can click Edit connection above Connection, and then use the information in Create a Fortinet FortiGate NGFW connection to check and fix the connection. For further assistance with troubleshooting, see Troubleshooting tips.
  7. If you want the simple response to be active, leave Response is active turned on. Turn it off if you want to save the configuration but not activate the response yet.
  8. Click NEXT to continue to the Apply Exclusions step.

Create a Fortinet FortiGate NGFW connection

A Fortinet FortiGate NGFW connection securely stores reusable authentication credential information for integrations between Alert Logic and your Fortinet FortiGate Next-Generation Firewall (NGFW).

To create the connection, Alert Logic requires the following information about your FortiGate:

  • Host —Hostname or IP address of the FortiGate that you want Alert Logic to connect to.
  • Username and password—Administrative credentials of the user that allows Alert Logic to access your FortiGate. Alert Logic recommends that you set up a dedicated user, rather than use one that is shared by human users or other software integrations.
  • Virtual Domains—If your FortiGate is divided into multiple virtual domains (VDOMs), you need the names of the VDOMs you want Alert Logic to connect to. For more information, see Identify the Fortigate virtual domains you want to connect to.

This connection also requires an Alert Logic IDS appliance. You specify a network where the appliance is located, and Alert Logic chooses the appropriate appliance to connect to the specified hostname or IP address. Choosing the network instead of a specific appliance prevents you from needing to update the connection as appliances are added to or removed from the network. The IDS appliances in the selected network must be able to connect to the firewall using the TCP port selected, 443 by default. Any routing, network segmentation, cloud security groups, and other network access controls must allow outbound communication from all IDS appliances in the selected network to the firewall.

Alert Logic provides the following steps to help you create the connection. For further questions about the steps performed in Fortinet FortiGate NGFW, refer to the vendor documentation listed in the technical reference section, or contact Fortinet support.

  1. Identify the FortiGate virtual domains you want to connect to
  2. Create the connection in the Alert Logic console

Identify the FortiGate virtual domains you want to connect to

If your FortiGate is divided into multiple virtual domains (VDOMs) and they are enabled, you need the names of the VDOMs you want Alert Logic to connect to. Alert Logic connects to the root domain if you leave the Virtual Domains field blank when you configure the connection in the Alert Logic console. The following additional considerations apply depending on the Fortinet VDOM mode:

  • If your FortiGate is in split-task VDOM mode, Alert Logic needs to connect to the management VDOM (root). You can leave the Virtual Domains field blank to connect to root automatically. For more information, see the Fortinet document Split-task VDOM Mode.
  • If your FortiGate is in multi VDOM mode, you can specify any of the VDOMs you set up or leave the Virtual Domains field blank to connect to root. If your VDOMs are set up as management or meshed VDOMs, connecting to root affects all VDOMs. For more information, see the Fortinet document Multi VDOM mode.

Create the connection in the Alert Logic console

Next, go back to the Create a Simple Response page to enter information in the Connect step that grants Alert Logic access to perform the response.

To create the Fortinet FortiGate NGFW connection in the Alert Logic console:

  1. In Connection Name, type a descriptive name for the connection (example: Fortinet FortiGate NGFW Connection for Blocking an IP Address).
  2. In Host, type the hostname or IP address of the FortiGate that you want to connect to.
  3. In Port, leave the default TCP port number 443 for secure incoming connection requests, or change it if you have a custom configuration.
  4. In Username, enter the username for the administrative account that provides Alert Logic access to your FortiGate (example: Alert_Logic_Intelligent_Response).
  5. In Password, enter the password for the specified username.
  6. In Network ID, select the network that contains an Alert Logic IDS appliance that can connect to your firewall.
  7. If you want Alert Logic to verify SSL certificates for requests it makes to the firewall, select the Verify SSL check box.
  8. (Optional) In Virtual Domains, enter a comma-separated list of the FortiGate virtual domain names that you want Alert Logic to connect to. If your FortiGate does not have virtual domains enabled or if you want to connect to root in a multiple virtual domain setup, leave the field blank. For more information, see Identify the FortiGate virtual domains you want to connect to.
  9. Click SAVE.

(Optional) Apply exclusions

If you want to exclude IP addresses from the response, in Exclusion List(s), select one or more lists that define the exclusions. You can create exclusion lists from the Exclusions page if necessary, and then come back. For more information, see Exclusions.

After you choose one or more lists, or if you want to skip this step, click NEXT.

Choose when to respond

In this step, choose whether to request approval before Alert Logic runs the response each time. Alert Logic sends the request by email and the Alert Logic Mobile App. You can request approval from multiple users, such as members of your security team. The first user to answer determines whether the response is approved or rejected. Subsequent users who respond receive a message stating that the inquiry was responded to already.

In this step, you also choose the incident analytics that you want to trigger the response. You can respond to incidents generated from all analytics that Alert Logic recommends as triggers, or you can choose specific analytics.

To choose when to respond:

  1. If you do not want to require approval, click Do not require approval.
  2. If you want to require approval, click Send approval request, and then select one or more approval recipients in User(s). You can use the search bar to help you find names and email addresses.
    To improve traceability of approvals, Alert Logic recommends that you choose individuals not a distribution list.
  3. If you want to block external IP addresses detected in incidents generated from all analytics that Alert Logic recommends as triggers for this response, leave Respond to all recommended analytics selected. An example of a recommended analytic for this response is "{vendor} Possible Credential Stuffing Activity Detected from {attacker_ip}."
  4. If you prefer to choose from a list of all analytics available for this response type, click Choose analytics, and then select one or more analytics to use as triggers for the response. You can use the search bar to help you find analytics.
    To learn more about a specific analytic, you can find it in the Threat Intelligence Center. For more information, see Threat Intelligence Center.
  5. Click SAVE.

Troubleshooting tips

Here are common errors that can occur when you test the configuration and suggested troubleshooting steps.

Connection Attempt to host Timed Out or Connection Attempt to host Failed

Common causes of these errors include:

  • The IP address or hostname provided in the connection is incorrect.
  • The port provided in the connection is incorrect.
  • The firewall administration interface is not enabled on this host and port.
  • Intermediate firewalls are blocking connections, especially if the firewall is in a “DMZ” network.
  • No route exists from the appliance to the firewall.

To troubleshoot these errors:

  1. In the Create a Simple Response page, click EDIT CONNECTION, ensure the settings are correct, and then click TEST again. For more information, see Create the connection in the Alert Logic console.
  2. If the connection settings are correct, review the configuration of your firewalls and routing, and then click TEST again.

Technical reference

Simple Response Name

Fortinet FortiGate: Block External IP Address

Vendor documentation

Limitations

FortiGate version 7 allows up to 600 members in an address group. If you are using an earlier version, the limit is 300 members.