On August 11, 2023, Cisco announced that Cisco SecureX will go end-of-life on July 31, 2024. The content in this Github repository will not be actively maintained following this announcement.

Block URL, IP, or Domain

Workflow #0051

Response Workflow

This workflow blocks a URL, IP, or domain name in Fortinet FortiGate by adding them to a URL/web filter or address group and then updating a firewall policy. Supported observables: ip, url, domain


Change Log

Date Notes
Nov 10, 2021 - Initial release
Sep 7, 2022 - Minor updates to naming and descriptions

See the Important Notes page for more information about updating workflows


Workflow Steps

Note: Errors are accumulated during workflow execution using Add error to local variable activitys

  1. Defang the observable, generate object names, and validate input
  2. Is the observable a URL?
    • Get the web filter (if that fails
    • Extract the MKey of the URL filter from the web filter
      • If extraction succeeds, add the URL to the URL filter
      • If extraction fails, create a new URL filter and add it to the web filter
  3. Is the observable an IP address or domain?
    • Search for existing address objects for this observable
      • If an address object was found, make note of its name
      • If an address object was not found, create a new one
    • Add the address object to the address group
  4. Check if there have been errors (if so, skip the next section)
    • Get the firewall policy
    • Update the firewall policy with the objects created/updated during the workflow
    • Move the policy to the top of the policy list
  5. Compile the workflow results and send a Microsoft Teams message


  • Set the Access Token local variable to your Fortinet FortiGate API token
  • Set the Address Group Name local variable to the name of the address group to add address objects to
  • Set the Policy Name local variable to the name of the firewall policy to make changes to
  • Set the Web Filter Name local variable to the name of the web filter to add URLs to
  • If you want to change the name of this workflow in the pivot menu, change its display name


Note: If your FortiGate instance is on-premises and not accessible from the internet, you will need a SecureX orchestration remote to use it with orchestration.

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
Fortinet FortiGate HTTP Endpoint Protocol: HTTPS
Host: your-fortigate-instance
Path: /api
None If you use a self-signed certificate, disable certificate validation on the target
Microsoft Teams Webhook HTTP Endpoint Protocol: HTTPS
Host: your-tenant.webhook.office.com
Path: /the-rest-of-the-webhook-url