I was looking for a quick method to get alerted, if some bad IP addresses get accessed by clients.
This should only be a monitoring and alerting solution, not a blocking/protecting one.
To realize this requirement I came across “Event Monitoring” on my FortiAnalyzer.
It’s very simple to add a quick monitor to get alerted if clients are accessing bad IP’s.
How it works:
– Go to your FortiAnalyzer under “Event Management” you will find “Event handler”.
– Create a new handler for example: “Abuse – Test”
You need to configure a filter – chose “Status Not Equal To DENY” and be sure that Log messages that match is set to “ALL”.
This setup generates an alert for all connections which are not blocked. To alert only the “bad ip’s” you should set a Generic Text Filter.
In our case:
(dstip==badip1 or dstip==badip2)
On the notification tab you can no configure syslog or email alerts for this specific event handler.
If you are lucky you can build your own Tracker for Bad IP lists.
For example you can use from http://www.abuse.ch Tracker. (Thanks to abuse.ch for your work!)
After this you’re able to get a event if a client connects to a bad ip.
Have fun.
sirhartmann 