The Fortigate mode consists in filling an addresses group object with a time-limited duration.
Note that this is a "hard" method, meaning that an IP address detected by the sources will be automatically banned by your firewall without notice.
Artica PCAP filter is not able to create the Firewall object, you have to focus on create the addresses group in the Fortigate Firewall and the account allowed to play with the object.
It is available on the 1.0.28 version
¶ The method:
- Artica PCAP Filter is installed on a remote Linux amd64 machine.
- It scans in real-time the local network interface or receive Fortigate events to detect external incoming IP addresses.
- When it finds an address that matches its database, it uses the Fortigate API KEY to add the address to the addresses group object.
- Every X minutes, it uses the Fortigate API to list stored addresses and delete those that have expired.
¶ Enable/Disable the Fortigate remediation method
Tokens -fortigate-remediation-on or -fortigate-remediation-off enable or disable the Fortigate remediation.
¶ Set the Fortigate remediation settings to the addresses object
The token -fortigate-address [IP:port] define your Fortigate address.
The token -fortigate-ipset [group name] define your Fortigate group to populate.
The token -fortigate-key defines the Fortigate API Key to authenticate Artica PCAP.
The token -fortigate-timeout defines the time to live (in minutes) of a banned IP address inside your addresses group object.
The token -fortigate-schedule defines the schedule in minutes to scan the addresses group object in order to clean data ( min 5mn, max 60mn)
You can use all commands in the same command-line
Example :
articapsniffer -fortigate-remediation-on -fortigate-address 192.168.1.109:443 -fortigate-key HdH586HGb86qq1zfefN5gr54j7fcp8 -fortigate-ipset ArticaPFilter -fortigate-timeout 30 -fortigate-schedule 15
¶ Get configuration status
The command -fortigate-status (or -status for the global parameters ) displays the saved settings.
¶ Dump the content of the remote Fortigate Group
The token -fortigate-list displays items stored in the defined Address Group
¶ Add/Delete IP address inside your Fortigate Group
The token -fortigate-add [ipaddr] add new record to the Fortigate group object.
You can use -fortigate-list to list all add records
The token -fortigate-del [ipaddr] delete a record from the Fortigate group object.
¶ Clean the group
The token -fortigate-clean allow Artica PCAP Filter to scan the defined group in order to clean expired records.
¶ Reloading the Daemon
To reload the daemon, means flushing memory caches and reload sources databases in memory, use the token -reload