Technical Tip: How to automatically block the malicious

source IP address triggering IPS

Descript This article describes the steps to automatically block malicious source IP
ion address(es) triggering IPS.
Scope FortiGate.
Solution Automation stitch can automatically block inbound traffic triggering IPS.

1. Create an address group in Policy & Objects -> Addresses, open the
Address Group tab, and select the Create new button.

Provide the group name and select OK. It is used 'Auto_IPS-Blocked' in this example.
2. Navigate to Security Fabric -> Automation and select the Create New button in the
Stitch tab.
3. Provide the new stitch name, select Add Trigger, select IPS Logs, and Apply.
4. Add a CLI script to create a firewall address object based on '%%srcip%%/32' and
append the automatically added address object to the new address group from Step 1.

1. Configure stitch action by selecting Add Action, then select Create.

2. Scroll down and select CLI Script.
3. Provide the CLI Script's name and enter the following script, then select the
appropriate Administrator profile or use super_admin if needed, then
select OK. It uses 'Auto_IPS-Blocked' in the firewall addrgrp because that is
the name of the group I added in Step 1.

config firewall address

edit %%srcip%%
set subnet %%srcip%% 255.255.255.255
next
end
config firewall addrgrp
edit "Auto_IPS-Blocked"
append member %%srcip%%
next
end
4. Select the newly added script name and select Apply.
5. Select Add Action if it is desired to add another action such as sending an
email, then select OK.
6. In case of a false positive, manually edit the group object and remove the corresponding
address object from the group.
7. Finally, block the address group using local-in-policy since blocking the
group in the firewall policy might not be applicable in most cases. For
instance, a deny firewall policy with match VIP enabled should work on port
forwarding (Virtual IPs) but is not applicable for blocking access to
SSLVPN or Dial-Up IPsec VPN connections.
Troubleshooting Tip: Block earlier version TLS1.1 TLS1.0
SSLv3.0 Through Traffic
Descri This article describes the approach to allow only TLS1.2/TLS1.3 through traffic and block lower
ption version SSL traffic.

Scope FortiGate .

Soluti Most TLS traffic today is run on TLS1.2+ as the modern browser by default supports TLS1.2+.
on However, there are still legacy applications that may only run on earlier TLS versions.
A common practice in Enterprise is to block earlier TLS versions while making exceptions for
needed applications with dedicated policies (Narrowed src/dst IP range along with other
restrictions).

Approach 1:
Use Application Control, the example below is created from new/default and only blocks
TLSv1.1/TLSv1.0/SSLv3.0
Apply it on an Firewall policy, supported under both inspection modes (flow or proxy), supported
under certificate inspection or deep inspection.

config application list

edit "Default_BlockTLS1.1-"
set other-application-log enable
config entries
edit 1
set application 41542 41541 41543 <-----
TLSv1.0/TLSv1.1/SSLv3.
 next
edit 2
set category 2 6
next
end
next
end

Below certificate inspection is pretty much default if created in v7.0+, highly suggest not using the
default 'Read-only' Certificate-Inspection. Not only because a new one can be customized, but more
importantly, the default value from the newly generated entry would be correct.

Note:
To use an existing profile, make sure the unsupported-ssl-version is set to block. This needs to be
watched out especially if the running config was from an earlier version such as 6.x and upgraded
up).

config firewall ssl-ssh-profilev

edit "TLS1.2Plus-Certificate-Inspection"
config https
set ports 443
set status certificate-inspection
end
config ftps
set status disable
end
config imaps
set status disable
end
config pop3s
set status disable
end
config smtps
set status disable
end
config ssh
set ports 22
set status disable
end
config dot
set status disable
end
next
end
Applies it on a Firewall Policy:

config firewall policy

edit 64
set name "test"
set srcintf "lan"
set dstintf "WAN-Zone"
set action accept
set srcaddr "Host-192.168.1.23"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "TLS1.2Plus-Certificate-Inspection"
set av-profile "g-default"
set application-list "Default_BlockTLS1.1-"
set logtraffic all
set logtraffic-start enable
set nat enable
next
end

Check Log:
It is possible to see the block from the Traffic log and App Control log from the screenshot below:
Approach 2:
This requires BOTH proxy inspection mode AND deep inspection:

config firewall ssl-ssh-profile

edit "TLS1.2-Deep-Inspection"
config https
set ports 443
set status deep-inspection
set unsupported-ssl-negotiation block <----- Set to block.
set min-allowed-ssl-version tls-1.2 <----- Desired version.
end
config ftps
set ports 990
set status deep-inspection
end
config imaps
set ports 993
set status deep-inspection
end
config pop3s
set ports 995
set status deep-inspection
end
config smtps
set ports 465
set status deep-inspection
end
config ssh
set ports 22
set status disable
end
config dot
set status disable
end
config ssl-exempt
edit 1
set fortiguard-category 31
next
edit 2
set fortiguard-category 33
next
edit 3
set fortiguard-category 87
next
end
set ssl-negotiation-log enable <----- Enable.
set ssl-handshake-log enable
next
end

config firewall policy

edit 64
set name "t450"
set uuid 89ab1b40-1489-51ee-e88b-ce36489b0d2b
set srcintf "lan"
set dstintf "WAN-Zone"
set action accept
set srcaddr "Host-192.168.1.23"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set inspection-mode proxy
set ssl-ssh-profile "TLS1.2-Deep-Inspection"
set av-profile "g-default"
set logtraffic all
set logtraffic-start enable
set nat enable
next
end
Check Log: