Block URL, IP, or Domain
Workflow #0051
Response Workflow
This workflow blocks a URL, IP, or domain name in Fortinet FortiGate by adding them to a URL/web filter or address group and then updating a firewall policy. Supported observables: ip, url, domain
Change Log
| Date | Notes |
|---|---|
| Nov 10, 2021 | - Initial release |
| Sep 7, 2022 | - Minor updates to naming and descriptions |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- None
- The following atomic actions must be imported before you can import this workflow:
- Fortinet - FortiGate - Add Address to Address Group (CiscoSecurity_Atomics)
- Fortinet - FortiGate - Add URL Filter to Web Filter Profile (CiscoSecurity_Atomics)
- Fortinet - FortiGate - Add URL to URL Filter (CiscoSecurity_Atomics)
- Fortinet - FortiGate - Create Address (CiscoSecurity_Atomics)
- Fortinet - FortiGate - Create URL Filter (CiscoSecurity_Atomics)
- Fortinet - FortiGate - Get Policy by Name (CiscoSecurity_Atomics)
- Fortinet - FortiGate - Get Web Filter by Name (CiscoSecurity_Atomics)
- Fortinet - FortiGate - Move Policy to Top of Policy List (CiscoSecurity_Atomics)
- Fortinet - FortiGate - Search for Address by Value (CiscoSecurity_Atomics)
- Fortinet - FortiGate - Update Firewall Policy (CiscoSecurity_Atomics)
- Microsoft Teams - Post Message via Webhook (CiscoSecurity_Atomics)
- The targets listed at the bottom of the page
- A webhook URL for the Microsoft Teams channel to post messages to (see: this page)
- Fortinet FortiGate
Workflow Steps
Note: Errors are accumulated during workflow execution using Add error to local variable activitys
- Defang the observable, generate object names, and validate input
- Is the observable a URL?
- Get the web filter (if that fails
- Extract the MKey of the URL filter from the web filter
- If extraction succeeds, add the URL to the URL filter
- If extraction fails, create a new URL filter and add it to the web filter
- Is the observable an IP address or domain?
- Search for existing address objects for this observable
- If an address object was found, make note of its name
- If an address object was not found, create a new one
- Add the address object to the address group
- Search for existing address objects for this observable
- Check if there have been errors (if so, skip the next section)
- Get the firewall policy
- Update the firewall policy with the objects created/updated during the workflow
- Move the policy to the top of the policy list
- Compile the workflow results and send a Microsoft Teams message
Configuration
- Set the
Access Tokenlocal variable to your Fortinet FortiGate API token - Set the
Address Group Namelocal variable to the name of the address group to add address objects to - Set the
Policy Namelocal variable to the name of the firewall policy to make changes to - Set the
Web Filter Namelocal variable to the name of the web filter to add URLs to - If you want to change the name of this workflow in the pivot menu, change its display name
Targets
Note: If your FortiGate instance is on-premises and not accessible from the internet, you will need a SecureX orchestration remote to use it with orchestration.
Target Group: Default TargetGroup
| Target Name | Type | Details | Account Keys | Notes |
|---|---|---|---|---|
| Fortinet FortiGate | HTTP Endpoint | Protocol: HTTPS Host: your-fortigate-instance Path: /api | None | If you use a self-signed certificate, disable certificate validation on the target |
| Microsoft Teams Webhook | HTTP Endpoint | Protocol: HTTPSHost: your-tenant.webhook.office.comPath: /the-rest-of-the-webhook-url | None |