Fortigate - Firewall (Classic)

integrating case management app to fortigate firewall, as part of incident response(ir) action plan following scenario cover the use case of creating new ipv4 address, thereafter adding the ipv4 address into pre created network address group (presume a blocklist where any traffic hitting to the list will be blocked) pre requisites a an api key at fortigate firewall , with permission to create address/update network address group note following steps are documented based on fortigate vm64(in bitwarden), v7 0 0 build0066 (ga) to create api key, login as admin , menu on left hand panel > system > administrators > create new > rest api admin configuration at turbine 1\ setup fortigate asset with host & api details 2\ in case management, create a field to store either an ip address, or list of ip addresses, which is/are extracted from the source event i e , siem/edr 3\ deploy playbook below fortigate loop malicious ips add address yml fortigate add address to network address group yml note playbooks are created from v11 8 1 4\ configure playbook input, for playbook “fortigate add address to network address group“ the playbook expect “ip address” as input, and the “ip address“ will be use as variable value in the actions following are for information and better understanding of how the playbook works, replace “network address group name” based on your/fortigate address group name setup overall playbook view ”create an address” action, note the playbook input is used as action input ‘name’ and ‘subnet’ ”get group members” action, is used to pull existing group member of the predefined “network address group”, the predefined group name is example below is “test group 1” corresponding network address group name in fortigate firewall ”add new address into member list” script, will add the new address into the group member list from ”get group members” action output note that a pre validation is in place to ensure that we only add the new member (ip address) if it is not in the group member list ”update network address group” action, update predefined “network address group”, the predefined group name is example below is “test group 1” , this action will push updated member list to the network address group at fortigate 5\ configure playbook input, for playbook “fortigate loop malicious ips add address“ the playbook expect “list of ip addresses” as input “malicious ips”, and the list will be iterated using loop function, which then feed each ip address into the playbook “fortigate add address to network address group“ 6\ validation a for “create an address” action, the new address will be created at fortigate menu > policy & objects > addresses , check ‘ip range/subnet’ section b for “update network address group“ action, updated list address group member can be find at fortigate menu > policy & objects > addresses , check ‘address group’ section