u/CallEither683 : Can you refer to exact link of MS-ISAC and cisa?
yes, i have exactly that. it takes 70x different ASNs i am blocking
lists here: https://github.com/wallacebrf/dns/blob/main/ASN_LIST.txt
and turns them into a single file i can use in a single external thread feed
script is here: https://github.com/wallacebrf/dns/blob/main/ASN_block_lists_all.php
Not entirely sure.
I manage my own threat feeds internally. Example, I have all godaddy ASNs fetched and appended together into a single TXT file on an internal webserver. They get updated monthly. If for any reason one of the sites I source my lists from during a reboot or internet outage isnt available, I dont want to have a gap in availability. Threat feeds have to reload/refresh after a restart and I want the data in-house for that.
Ive noticed a few IPs listed as TOR exit nodes. Havent seen many of them yet though. Trick is that some of the nodes are listed as ISPs not Hosting providers. I try to be careful with blocking ASNs of ISPs as that might cause problems for traveling employees.
Its easier to manage my own lists. When botnets and attackers started spamming attempts on the ivanti exploit, it opened my eyes to how many silent hosts were just waiting to become active.
Since we have no reason for hosting ASNs to login to our VPN, there is no reason to keep their IPs unblocked. If tomorrow there is a 10/10 CVE from fortinet, im already sitting better than many others as networks known to be used for these attacks are already blacked out for me.
That’s handy, as that’s a threat feed!
You create a firewall policy from WAN interface → SSL-VPN tunnel interface (ssl.root)?
Did you happen to crosscheck these with existing ISDB for malicious IPs or with any other public threatfeeds?
What error are you getting? The CLI structure must be different between 7.0.x and 7.2.x
Yes I have posted it several times.
I do did not think about the closenotify logs perhaps I will adjust my auto block scripts…
The address objects get removed periodically after I look at them, determine patterns and block whole subnets. Those blocks are done in threat feeds so I never really exceed 100-150 addresses objects at any given period.
I just did an update to my threat feeds today and I reduced the auto blocked address group from 142 entries down to 37 entries as there were a lot of patterns from just a few subnets
I only used one source, IPinfo’s free IP to Country ASN database. The OP shared the ASNs, and I looked into which ranges these ASNs own.
If you need to generate IP ranges by country or ASNs, using our free data will not take you long. You can use grep and our free IP database: Filter ASN database based on multiple ASNs - Database Downloads - IPinfo Community
You have to sign up with CIS, its free and you will get access to their threat feeds. It’s a txt file that the gate and pull in and it has a ton of different stuff, known spammers, Russian IPs, fortigate ssl exploits, and alot more
Thank you! Learning this from scratch has a bit of a learning curve but I appreciate seeing a cheat sheet like this. Reading through the notes then you just have your firewall reference the individual web_blocks#.#.txt file for the threat feeds?
i have a script that takes 70x different ASNs i am blocking
lists here: https://github.com/wallacebrf/dns/blob/main/ASN_LIST.txt
and turns them into a single file i can use in a single external thread feed
script is here: https://github.com/wallacebrf/dns/blob/main/ASN_block_lists_all.php
you have to create a loop-back interface. Then create a firewall policy on the loop-back. Otherwise you can only apply firewall rules using a local-in policy which is a pain in the ass to manage.
The vpn service is mounted in the loopback interface instead of any wan
Yes. It only makes one file since threat feeds can handle 131,000 entries and I have 18,580 entries in the file after combining the 70x ASN feeds
I also have a version of the script for DNS block lists used by things like Pihole but they are not formatted in a way compatible with fortigate so the script will make it format compatible. Even though the fortigate does a good job blocking ads, trackers, and malicious things also using the threat feeds in my web filter profile allows me to add what is currently at over 2 million blocked addresses using 17 threat feeds each maxed out at the 131,000 entry limit
I have noticed even better blocking performance after making the system block these 2 million addresses especially the stupid Admiral software used by a lot of sites when ads are blocked. Fortigate does not block the admiral software on its own
i do my blocking at home on:
config vpn ssl settings
set source-address
set source-address-negate enable
Can you do this with IPSEC or is it SSL VPN only?
That… i don’t know off the top of my head. I’m still pretty new to this and only setup SSL VPNs so far. Hopefully someone with more experience can answer that for you.