Hello guys,
I have a question about wazuh-fortigate action rules.
I want to create actions for fortigate ( for example, a user tried ssl-vpn too many times, i want to blacklist his/her public ip from fortigate but i want it as a rule based action.)
Can we create actions on wazuh side ? can wazuh connect fortigate via ssh or other protocols and use fortigate in admin role?
Hi Uğur,
Yes you can, with the integrator daemon
you can configure Wazuh to run an executable on the manager while
passing to it information from the event triggering the integration.
Here's a good guide on creating your own integrations: https://wazuh.com/blog/how-to-integrate-external-software-using-integrator/
Specifically for Fortigate you could use the External block list fabric connector and configure a simple script to log in via SSH to run the CLI commands specified there.
If you have a specific requirement to run these actions on a Wazuh agent instead of the manager then you can use Active Responses instead, here is a guide on creating custom AR scripts.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CAKRrgCKnAxH8uVV-cMkrQ6QL5CYVh-KN2EXkrFyZJNVwYvu6gw%40mail.gmail.com.