Webhook / REST API - Fortigate BAN IP

 

A webhook is a mechanism that automates data transfer between web-based applications. When a specific event occurs, one application sends an HTTP POST request to another through a predefined URL. This enables real-time data integration. For example, when a successful transaction is completed through a payment portal, a webhook can relay transaction details to another system. Webhooks facilitate more efficient and faster communication without the need for the routine polling that API requests often require.

 

 

Below are the primary HTTP methods used with webhooks and their purposes:


POST:

Purpose: The most commonly used HTTP method for webhooks. It is used to send data to another application when an event is triggered.
Usage: The system sending the webhook makes a POST request to a predetermined URL, sending data related to the event (usually in JSON or XML format).


GET:

Purpose: Rarely used for webhooks. Generally intended for data retrieval.
Usage: In the context of webhooks, it may be used for testing or verification purposes but is not suitable for data transmission.


PUT:

Purpose: Used to update or entirely replace a resource.
Usage: Rarely used for webhooks, but it can be employed when there is a need to update a specific resource.


DELETE:

Purpose: Used to delete a resource.
Usage: Not directly used for webhook transmissions; however, it can be involved as a trigger for an event where a resource needs to be deleted in another system.

 

This guide will explain how to provide the ban IP method of the Fortinet firewall product using a webhook.

  1. Log In: Access the Fortinet device via the web interface by logging in.

  2. Navigate to Security Fabric: Click on the "Security Fabric" tab in the main menu

 

 

 

 

 

Take note of the sample address in the Sample cURL request section.

 

The webhook that will function as a trigger has been created, and the second action model will be a script that will execute the ban IP method on the FortiGate firewall.

 

 

We define the command line below. The name at the end of the code line is the admin user's name; you can update this username by authorizing another user on the firewall.

 

diagnose user banned-ip add src4 %%log.srcip%% %%log.expire%% admin

 

 

 

You can create a user for the REST API by going to the FortiGate System Administrators page and generate an API key. Afterwards, make sure to note down this API key.

 

 

We update our sample query with the API key we noted down.

Let's use the cURL we have in the Logsign integration.

In this section, it is necessary to define the header and payload parameters. If you do not have sufficient experience for this process, you can seek assistance from artificial intelligence (ChatGPT-based platforms) or from the Postman application. In the example below, the header and payload values have been obtained.

 

 

Let's execute the banip method from the Incident management page.

 

You can apply a similar process for the unblock operation or different methods as well; for more details, please refer to:

https://docs.fortinet.com/document/fortindr/7.4.5/administration-guide/637981/fortigate-quarantine-webhook-setup-example

Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more
Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.