Fortigate actions

[Uğur Aygün]

Hello guys,

I have a question about wazuh-fortigate action rules. 

I want to create actions for fortigate ( for example, a user tried ssl-vpn too many times, i want to blacklist his/her public ip from fortigate but i want it as a rule based action.)

Can we create actions on wazuh side ? can wazuh connect fortigate via ssh or other protocols and use fortigate in admin role?

[Juan Carlos Tello]

Hi Uğur,

Yes you can, with the integrator daemon you can configure Wazuh to run an executable on the manager while passing to it information from the event triggering the integration.
Here's a good guide on creating your own integrations: https://wazuh.com/blog/how-to-integrate-external-software-using-integrator/
Specifically for Fortigate you could use the External block list fabric connector and configure a simple script to log in via SSH to run the CLI commands specified there.

If you have a specific requirement to run these actions on a Wazuh agent instead of the manager then you can use Active Responses instead, here is a guide on creating custom AR scripts.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CAKRrgCKnAxH8uVV-cMkrQ6QL5CYVh-KN2EXkrFyZJNVwYvu6gw%40mail.gmail.com.

[Uğur Aygün]

Thank you for your answer Juan.

I followed the link that you send me. I created firewall api user and did a ossec conf. But still i did not understand how can i create a script

 

My fortigate sending logs to wazuh. For example i can check whether a user is connected via ssl vpn, or for example a website access is blocked etc.

But in the end how can i create a script like ( a user tried to access a blocked website more than 5 times in 5 minutes i can see it via logs and an alert is triggering. but how can i create a script when this alert is triggered do this ?

And also how can i be sure that api admin is connected to fortigate ? is there any ui about it ?

Thank you again

Juan Carlos Tello <juancarl...@wazuh.com>, 25 Nis 2023 Sal, 10:43 tarihinde şunu yazdı:

[Juan Carlos Tello]

Hi Uğur,

Integrations will depend greatly on the method that Fortinet provides that will work best for you.  With the External block list fabric connector you may specify a list in a plain text file as an URL. This file may be updated with a simple Wazuh integration, in fact, you may install an nginx server directly on the Wazuh manager and have a simple script that adds IPs to the local file.

Then you can configure this script to be executed whenever an event triggers a specific rule ID within Wazuh.

I hope this helps.

Best regards,

Juan C. Tello

[Uğur Aygün]

Thank you again Juan. I understood this situation correctly. Sorry but have one more question.

As far as i understand above example is about blocking an ip.

If i want another scripts like, create a rule,disable a rule, drop ipsec or etc ( i mean other fortigate related rules) should i proceed with above example or need to find another source?

I know that this is a bit complicated topic. I am trying to connect wazuh directly to fortiapi but if i can manage i think i am going to create a guide about it and share

Thank you again

Juan Carlos Tello <juancarl...@wazuh.com>, 27 Nis 2023 Per, 18:57 tarihinde şunu yazdı:

[Juan Carlos Tello]

Hi,

Indeed the Wazuh integrator and Active Response capabilities can be adapted to take virtually any action using information from the events being processed by Wazuh.

The main way it will vary will be depending on the way the external application allows interacting.

I look forward to your guide and if there's any additional questions don't hesitate to ask us again.

Cheers,

Juan C. Tello