CrowdSec Blocklist Integration with FortiGate Firewall

From Notes_Wiki

Home > Enterprise security devices or applications > Fortigate firewall > CrowdSec Blocklist Integration with FortiGate Firewall

CrowdSec Blocklist Integration with FortiGate Firewall

Overview

This document describes the step-by-step procedure to integrate CrowdSec blocklists with a FortiGate Firewall using an external threat feed to automatically block malicious IP addresses.

Prerequisites

  • Active CrowdSec account
  • Administrator access to FortiGate Firewall
  • FortiGate firmware supporting external threat feeds
  • Internet connectivity

Step 1: Access CrowdSec Portal

This step allows you to access the CrowdSec management portal and prepare the integration.

  • Open a web browser and navigate to [1](https://www.crowdsec.net/).
  • Click Login / Sign Up in the top-right corner.
  • Sign in with your existing account, or create a new account if required.
  • After successful login, open the CrowdSec dashboard.

Step 2: Open Blocklists and Integrations

This step navigates to the integration management section.

  • From the dashboard, click Blocklists.
  • From the left-side menu, select Integrations.
  • The Integrations page displays all configured connectors.

Step 3: Create a New Integration

This step creates a CrowdSec integration profile for FortiGate.

  • On the Integrations page, select FortiGate as the vendor.
  • Click Connect.
  • Enter an integration name.
  • Add tags such as firewall or blocklist.
  • Optionally add a short description.
  • Click Create.

Step 4: Copy Integration Credentials

This step collects the credentials required for firewall authentication.

  • Copy the Endpoint, Username, and Password.
  • Store these credentials securely, as they are displayed only once.
  • Click Continue.

Step 5: Subscribe to a Blocklist

This step activates the CrowdSec threat intelligence feed.

  • When prompted, click Plug a blocklist.
  • Browse the Blocklist Catalog and select the required blocklist.
  • Open the blocklist details and click Subscribe.
  • Choose the preferred remediation option.
  • Click Confirm subscription.
  • Return to the Integrations page and verify the blocklist is attached.

Step 6: Log in to FortiGate Firewall

This step provides access to the FortiGate management interface.

  • Open a web browser and enter the FortiGate management IP address.
  • Log in using administrator credentials.
  • Access the main dashboard.

Step 7: Create External Threat Feed Connector

This step connects FortiGate to the CrowdSec IP feed.

  • Navigate to Security Fabric → External Connectors.
  • Click Create New.
  • Select External Threat Feed.
  • Choose IP Address under Threat Feeds.
  • Enter a connector name (for example, Active Threat IP).
  • Paste the CrowdSec Endpoint URL.
  • Enable HTTP basic authentication.
  • Enter the Username and Password.
  • Set the refresh rate as required.
  • Click OK to save.

Step 8: Verify External Connector

This step confirms the connector is active and synchronized.

  • Verify the connector appears under Threat Feeds.
  • Ensure the status shows active.
  • Confirm synchronization is successful.

Step 9: Create Firewall Security Policy

This step enforces blocking using the CrowdSec feed.

  • Go to Policy & Objects → Firewall Policy.
  • Create a new inside-to-outside policy.
  • Set the destination to the Active Threat IP feed.
  • Select DENY as the action.
  • Click OK to apply the rule.

Conclusion

The CrowdSec blocklist integration with FortiGate Firewall is complete. The firewall will now automatically retrieve and block malicious IP addresses to enhance network security.

Home > Enterprise security devices or applications > Fortigate firewall > CrowdSec Blocklist Integration with FortiGate Firewall

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=CrowdSec_Blocklist_Integration_with_FortiGate_Firewall&oldid=9970"