Blocking IPs from Slack with multiple firewalls

I was pleasantly surprised at how easy it was to implement the R7 provided “Block Host with Fortinet Firewall from Slack” InsightConnect workflow from github. I created a connection to my lab, updated the three parameters and bam, the automation works as advertised. My problem is that I have multiple firewalls that will need to updated from this workflow. The default code does not give any options for multiple firewall connections.

Does anyone have this workflow working with multiple firewalls? Are you using multiple connections under plugins? Did you have to alter the code at all to make this work?

Due to change control reasons, I cannot immediately test adding multiple firewall connections. I will test next week, but I am looking for any help from the community in the interim.

Hello Travis.

Forinet has a feature that allows you to choose a threat feed for your block list. Could you instead of trying to write to multiple firewalls, have your firewalls read from that threat feed?

The workflow would need to be modified to take your Slack message and instead of writing to the firewall, write to a .txt file that your firewalls are reading. To write to the .txt file you have multiple options. The python plugin might be the most universal option for you.

https://docs.fortinet.com/document/fortigate/6.4.5/administration-guide/9463/threat-feeds

1 Like

That is similar to how we handled our Palo’s when I was a customer. We used PowerShell to write to a txt file hosted on a server and pointed our Palo’s to it for a block list.

1 Like