question

timothydilbert avatar image
0 Likes"
timothydilbert asked

Managing Dynamic Address Group for SaaS-related rules

Hi Everyone,

I have a ticket opened with Fortinet Support on this, but I thought I would also put the question here in case people in the community have a workaround you could share.

I want to define a policy that allows inbound/outbound connections from trusted IPs related to a SaaS service provider (in this case, GitHub). GitHub has its list of IPs trusted IPs available in JSON format (https://api.github.com/meta). The goal is to establish rules using those IP lists.

As you can see, this list can have dozens of IPs. Creating an "Address" for each GitHub subnet is no small task, especially since that IP list is dynamic, which means IPs can be added/removed at any time.

Because I am seeing a trend where SaaS platforms provide their IPs in JSON format (e.g. Zendesk, ServiceNow, Okta, Google), I figured these dynamic IP lists must be common enough that other Fortinet administrators must have found some workarounds for automating supporting and the management of policies with rules relying on these IP lists being kept up to date.

Does anyone have any advice on how to define policies using IPs from these JSON documents?

Firewall policyDynamic address
10 |600
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

1 Answer

·
ftntdocs avatar image
2 Likes"
ftntdocs answered

Hi timothydilbert,
Currently, there is no way to import a list in JSON format to FortiGate. However, a list in a text format can be imported using a threat feed. Please see Threat Feeds for more information.

Workaround:
Internet Service can be used in a policy to allow inbound/outbound connection from/to trusted IPs related to SaaS.

The Internet Service Database is a comprehensive public IP address database that combines IP address range, IP owner, service port number, and IP security credibility. The data comes from the FortiGuard service system and the database updates regularly with a valid FortiCare support contract.

For example:
Using GitHub as the destination in a firewall policy

11.png

Instructions for using Internet Service in a policy can be found here:

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/179236/using-internet-service-in-a-policy




11.png (47.6 KiB)
10 |600
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Welcome to FortiAnswers

FortiAnswers is the space dedicated to FortiSASE and FortiOS questions and suggestions.

  • Please review the Community guidelines
  • If you are a moderator, please refer to the Moderation guidelines
  • If something in the above guidelines is unclear, please post your question to the Community Feedback space or the Moderators' space