FortiGateToAbuseIPDB is a Python script that allows you to read all IPv4/IPv6 addresses from the FortiGate quarantine list, forward the malicious IPs to the AbuseIPDB service, and then clear the list.
FortiGateToAbuseIPDB is a Python script designed to automate the process of managing the quarantine list on FortiGate devices. It reads all IPv4/IPv6 addresses from the FortiGate quarantine list, forwards the malicious IPs to the AbuseIPDB service, and then clears the list. This helps in maintaining a clean quarantine list while contributing to a global database of malicious IP addresses.
- Automated Reading: Retrieves all IP addresses from the FortiGate quarantine list.
- Reporting: Submits malicious IP addresses to the AbuseIPDB service for global sharing.
- Cleanup: Clears the quarantine list after reporting, ensuring no duplication of effort.
- IPv4/IPv6 Support: Handles both IPv4 and IPv6 addresses.
- Logging: Provides detailed logging for monitoring and troubleshooting.
- Python 3.x
- FortiGate device with quarantine list access
- AbuseIPDB API key
-
Log in to your FortiGate device: Access the FortiGate web interface using your administrator credentials.
-
Create a New Administrator User:
- Go to System > Administrators.
- Click Create New and select Administrator.
- Enter a username and password for the new administrator.
- Assign the necessary permissions to read and modify the quarantine list.
-
Restrict Access (Optional):
- You can restrict access to this administrator account from a specific host where the script will be run.
- Edit the administrator you just created and set the trusted hosts to the IP address of the machine where the script will be executed.
- Create Credentials File: Create a file named
fortigate_creds.datto store your FortiGate credentials. - Encode Credentials:
-
Use a base64 encoder to encode your username and password to avoid storing them in plain text.
-
You can use a Python script or an online tool to encode the credentials:
import base64 username = "your_username" password = "your_password" creds = f"{username}:{password}" encoded_creds = base64.b64encode(creds.encode()).decode() with open("fortigate_creds.dat", "w") as f: f.write(encoded_creds)
-
Or just use those cli commands to do the same :)
echo -n 'YourAdminUserName' | base64 > /opt/FortiGateToAbuseIPDB/fortigate_creds.dat
echo -n 'YourPassword' | base64 >> /opt/FortiGateToAbuseIPDB/fortigate_creds.dat
- Set Appropriate Permissions:
-
To ensure the security of your credentials, set the file permissions to
640:chmod 640 fortigate_creds.dat
-
- Create an AbuseIPDB Account:
- Go to the AbuseIPDB website and create an account.
- Generate an API Key:
- Once logged in, navigate to the API section.
- Create a new API key that will be used by the script to identify who is submitting the malicious IP addresses.
-
Clone the Repository:
git clone https://github.com/yourusername/FortiGateToAbuseIPDB.git cd FortiGateToAbuseIPDB -
Install Dependencies: Ensure you have the necessary Python libraries installed:
pip install requests pip install paramiko
-
Configure API Keys and FortiGate Details: Edit the script
fortigate_quarantine.pyto include your AbuseIPDB API key and FortiGate device details:FORTIGATE_IP = "your_fortigate_ip_or_hostname" ABUSEIPDB_API_KEY = "your_abuseipdb_api_key"
-
Run the Script:
python3 fortigate_quarantine.py
-
Automation with Cron: To automate the execution, you can set up a cron job. For example, to run the script every hour, add the following line to your crontab:
0 * * * * /usr/bin/python3 /path/to/fortigate_quarantine.py
-
Initialization: The script starts by importing necessary libraries and setting up configuration variables, including the API keys and FortiGate device details.
-
Fetching Quarantine List: The script connects to the FortiGate device using the provided credentials and retrieves the quarantine list. This includes both IPv4 and IPv6 addresses.
-
Reporting to AbuseIPDB: For each IP address in the quarantine list, the script sends a report to AbuseIPDB using their API. This helps in contributing to a global repository of malicious IP addresses.
-
Clearing the Quarantine List: After successfully reporting the IPs, the script clears the quarantine list on the FortiGate device to ensure no duplication of reports.
-
Logging: Detailed logs are maintained throughout the process, capturing successful reports, any errors encountered, and actions taken to clear the quarantine list.
Logs are stored in /var/log/fortigate_quarantine.log by default. You can review these logs to ensure the script is functioning correctly or to diagnose any issues.
2024-06-27 15:42:22 - ---------------------------------------
2024-06-27 15:42:22 - Script execution started.
2024-06-27 15:42:22 - Debug: Processing line: 192.168.1.10 Thu Jun 27 15:32:33 2024 Fri Jun 28 15:32:33 2024 IPS
2024-06-27 15:42:22 - 192.168.1.10 IPS
2024-06-27 15:42:23 - IP 192.168.1.10 successfully reported for IPS.
2024-06-27 15:42:23 - AbuseIPDB Info for 192.168.1.10:
2024-06-27 15:42:23 - - Score: 83
2024-06-27 15:42:23 - - Domain: localdomain
2024-06-27 15:42:23 - - ISP: Local ISP
2024-06-27 15:42:23 - - Country: US
2024-06-27 15:42:23 - Debug: Processing line: 192.168.1.20 Thu Jun 27 15:30:06 2024 Tue Jul 2 15:30:06 2024 IPS
2024-06-27 15:42:23 - 192.168.1.20 IPS
2024-06-27 15:42:23 - IP 192.168.1.20 successfully reported for IPS.
2024-06-27 15:42:23 - AbuseIPDB Info for 192.168.1.20:
2024-06-27 15:42:23 - - Score: 100
2024-06-27 15:42:23 - - Domain: localdomain
2024-06-27 15:42:23 - - ISP: Local ISP
2024-06-27 15:42:23 - - Country: US
2024-06-27 15:42:23 - Debug: Processing line: 192.168.1.30 Thu Jun 27 15:36:49 2024 Tue Jul 2 15:36:49 2024 IPS
2024-06-27 15:42:23 - 192.168.1.30 IPS
2024-06-27 15:42:24 - IP 192.168.1.30 successfully reported for IPS.
2024-06-27 15:42:24 - AbuseIPDB Info for 192.168.1.30:
2024-06-27 15:42:24 - - Score: 100
2024-06-27 15:42:24 - - Domain: localdomain
2024-06-27 15:42:24 - - ISP: Local ISP
2024-06-27 15:42:24 - - Country: US
2024-06-27 15:42:24 - Debug: Processing line: fortigate01 #
2024-06-27 15:42:25 - Successfully cleared banned IPs.
2024-06-27 15:42:25 - Found 3 IPs in the quarantine list.
2024-06-27 15:51:12 - ---------------------------------------
Contributions are welcome! Please fork the repository and submit pull requests for any enhancements or bug fixes.
This project is open source and available for anyone to modify and distribute. Feel free to contribute, improve, and adapt this code to suit your needs.