Mar 09 2022 01:28 AM
Hi All,
Greetings..
need to check if any IP address from Ukraine and Russia is connecting to my network through my Perimeter FortiGate Firewall. could you please let me know how i can do the filtering based on geolocation? how can i achieve this
Thanks in advance for your support.
Mar 09 2022 02:09 AM
Solution
Good timing - I just answered this type of question on another thread earlier today, maybe
let IP_Data =
external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string, country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)
['https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv']
with (ignoreFirstRecord=true, format="csv");
CommonSecurityLog
| where DeviceVendor == "Fortinet"
| where DeviceProduct startswith "Forti"
| summarize ipCount=count() by IPAddress=DestinationIP
| where isnotempty(IPAddress)
| evaluate ipv4_lookup(IP_Data, IPAddress, network)
| where country_iso_code in ('RU','UA')
You just ned to swap line #8 to SourceIP if you want that instead? You may need to add other 'where' filters but this should be the basics.
Mar 09 2022 03:08 AM
Mar 09 2022 03:28 AM