Fortigate - Firewall, Block/Unblock IPv4 Address Object (Canvas, Component)

integrating soc solutions “soc remediation actions” playbook, to fortigate firewall, as part of incident response(ir) action plan following scenario cover the use case of 1\ block add (ipv4) address into address network group a create ipv4 address object at fortigate, thereafter action name create address b query latest address network group member (address object list) action name get group members c adding the ipv4 address object into pre created network address group (presume a blocklist where any traffic hitting to the list will be blocked) action name update network address group 2\ unblock remove (ipv4) address from address network group a query latest address network group member (address object list) b remove the address object from existing address network group member(address object list) canvas component diagram first level component “execute block/unblock ipv4 remediation action, fortigate“ sub component “execute fortigate add address to network address group“ sub component “execute fortigate remove address from network address group“ pre requisites a you have deployed soc solutions (canvas) b an api key at fortigate firewall , with permission to create address/update network address group note following steps are documented based on fortigate vm64(in bitwarden), >= v7 0 0 build0066 (ga) to create api key, login as admin , menu on left hand panel > system > administrators > create new > rest api admin configuration at turbine 1\ setup fortigate asset with host & api details 2\ deploy component below execute block unblock ipv4 remediation action fortigate ssp note playbooks are created from v24 3 4, with fortigate connector v1 2 0 import all of the following 3\ configure playbook for blocking ipv4 address a open playbook “soc remediation actions“, go to the flow of record actions “block observables”, under the if condition of ipv4, change component to “execute block/unblock ipv4 remediation action“ b go to component “execute block/unblock ipv4 remediation action“, set fortigate’s network address name at the subplaybook input , according to the predefined network address group’s name provided by the firewall team 4\ configure playbook for un blocking ipv4 address a open playbook “soc remediation actions“, go to the flow of record actions “unblock observables”, under the if condition of ipv4, change component to “execute block/unblock ipv4 remediation action“ b go to component “execute block/unblock ipv4 remediation action“, set fortigate’s network address name at the subplaybook input , according to the predefined network address group’s name provided by the firewall team 5\ fortigate actions in component “execute fortigate add address to network address group“ and “execute fortigate remove address from network address group“ are configured to run against $remote pool change it to $default if the turbine instance that you are working on has direct access to fortigate, without remote agent appendix working configurations a create address (ipv4) note with fortigate v7 6 0 , type has been changed to ‘ipmask’ , instead of ‘subnet' in v7 0 0 b get group member (from predefined address network group’s name) b get group member (from predefined address network group’s name) c update network address group d result at fortigate address object created via swimlane e result at fortigate address network group updated via swimlane