Ban IP - Automation stitch - FAZ
Greetings community,
I was testing the automatic banning of failed login attempts IPs to our SSLVPN and I ran into this article:
They use an event handler in FAZ to create an incident when there is a "ssl-login-failed" entry and then they enable automation stitch on that event handler so it can be available at the Fortigate.
Once in the fortigate they create an automation stitch with FAZ event handler as a trigger and IP BAN as an action. I tried that in my environment and it didn't work for me, then I looked some documentation and found out that the IP BAN action only works with a Compromised Host trigger, as you ca see below from FortiGate admin guide:
|| || |IP Ban|This option is only available for Compromised Host triggers. Block all traffic from the source addresses flagged by the IoC. Go to the Dashboard > Users & Devices > Quarantine widget to view and manage quarantined IP addresses.|
So, my 1st question is, how that worked on that article I mentioned above??????
And 2nd and most important, how would you achieve this? Blocking an IP after an unsuccessful login attempt to a sslvpn using FAZ and automation then?
thanks!