With Iac growing, we have a means to write code for infrastructure. The Terraform FortiOS provider provides the means to do a host of items from deploying;
- policy
- address
- static routes
- address groups
This sample will focus on addr+addrgroup. The group here is the BLOCK_LIST, these would be the deny rules src+dst in/out. The SOC cyber-investigation team would write the straightforward line to update the main after extracting malicious addresses from a variety of logs or tools.tf code
1st, we have to set up the FortiOS device with a API user. It is crucial that this account has read/write, and you should trust-host it. My TerarForm server is a DigitalOcean droplet. When setting up the API user, make sure to copy-api-key
Next we will set up a directory and our main.tf and define the hostname and api-key
terraform init
terraform validate
Next, make sure the rule exists in the blocklist, since TF will add these addresses existing rule that has the group.
Since an addrgroup in FortiOS cannot be empty, you want to create a dummy host and have it always in the group. The APIPA address is ideal for this function
# dummy address for holding DO NOT REMOVE
resource "fortios_firewall_address" "dumbaddress" {
name = "dumbaddress"
subnet = "169.254.66.66/32"
}
The code will create the new address and add it to the BLOCK_LIST groups
e.g
# dummy address for holding DO NOT REMOVE
resource "fortios_firewall_address" "dumbaddress" {
name = "dumbaddress"
subnet = "169.254.66.66/32"
}
resource "fortios_firewall_address" "address11" {
name = "address11"
subnet = "192.168.1.1/32"
}
resource "fortios_firewall_address" "INC56666_1" {
name = "INC56666_1"
subnet = "26.26.26.26/32"
}
resource "fortios_firewall_object_addressgroup" "BLOCK_LIST2" {
name = "BLOCK_LIST2"
member = ["dumbaddress","address11","INC56666_1"]
}
resource "fortios_firewall_object_addressgroup" "BLOCK_LIST" {
name = "BLOCK_LIST"
member = ["dumbaddress","TXDOT","HOST111","address11","address12","INC56666_1" ]
}
Once you have the code check in, you can run the plan or auto-approve based on your comfort level
e.g
terraform apply -auto-approve
terraform state list
Using Terraform will help you maintain the cfg as code and have a simple means for revision and checks if you output a plan, and also check the main.tf into a repository like GitHub.
NSE ( network security expert) and Route/Switching Engineer
No comments:
Post a Comment