This document explains how to block an address in FortiGate firewall manually using Logsign.
By following the steps in this document, you will be able to block an address in FortiGate firewall with Logsign, which you want to take action on in the incidents module.
FortiGate firewall is a firewall product that provides next-generation firewall (NGFW) services. The API support allows us to perform block/unblock operations in the firewall source with Logsign.
Logsign alarm communicates through the API protocol when a manual block/unblock operation is desired either through automation triggered by correlation or from the incident module, and the blocking process is provided.
For more information, you can refer to the following guide.
When an alarm triggered in a case, a case is created or your existing case is updated, and you can manually perform address blocking with this case opened.
For more information, you can refer to the following article.
- FortiGate Responses Integration
- License - Incident Module
- An open case
1-All events occurring in the system can be accessed from the "Events" tab on the Logsign web interface. Under the Events tab, the number of events, priority, risk score, status, owner, and category can be tracked, and analysis can be performed, and the action module can be used.
2-Clicking on an event will open the event card screen.
By clicking on the "More" button, you can access all the detailed information about the event.
In the event detail screen, Action Object, risk score value, structure, and asset information can be viewed. In addition, the number of times the event was triggered and previous responses can be tracked.
3-NIST Intervention Stages related to the events can be tracked from the top right, and the intervention feature can be used with a single click using the "Action Button" in the bottom right corner.
4-After selecting the response source that will perform the blocking operation, the required information is filled in as shown below, and the process is completed by clicking the Submit button.
We can define the time for the block process with the Expire Time. A maximum of 48 hours of blocking can be done in this field.
You can easily unblock or additionally control the unblocking process as shown below.