This Python script bridges your MISP (Malware Information Sharing Platform) instance with FortiGate firewalls by exporting dynamic IP threat intelligence lists and serving them via a local HTTP server in a format compatible with FortiGate’s External Block List (EBL) feature.
-
🔁 Automated IOC Refresh: Pulls fresh
ip-dstandip-srcattributes from your MISP instance every 15 minutes. -
📄 EBL-Compatible Output: Produces a flat, newline-separated IP list (misp_ip_blocklist.txt) readable by FortiGate firewalls.
-
🌐 Local Web Server: Hosts the IP list on a local HTTP server for easy ingestion by FortiGate.
-
🧵 Multithreaded: Web server and MISP polling run concurrently in separate threads.
- Python 3.6+
PyMISP is distributed under an open source license
Install dependencies:
pip install pymispClone this repository:
git clone https://github.com/malek-annabi/misp-ip-block-list.git
cd misp-ip-block-listCreate a text file in the same directory:
touch misp_ip_blocklist_v2.txtEdit the script to configure your MISP instance:
MISP_URL = 'https://your-misp-instance'
MISP_KEY = 'your_misp_api_key'
VERIFY_CERT = False
LISTEN_PORT = 8080Run the script:
python3 mispv2.pyThe IOC list will be available at:
http://<your-ip>:8080/misp_ip_blocklist.txt
🧼 Ensure that your MISP filters out test or low-confidence data before exporting to a production firewall.
🔐 Avoid exposing the HTTP service to the public internet without proper access controls.
In FortiOS 6.2+:
config firewall threat-feed
edit "misp_ip_feed"
set server "http://<your-ip>:8080/misp_ip_blocklist.txt"
set type ip
next
end
config firewall address
edit "MISP_IP_List"
set type external-ip
set external-ip-blocklist "misp_ip_feed"
next
end
config firewall policy
edit 0
set name "block_misp_ips"
set srcintf "port1"
set dstintf "port2"
set srcaddr "all"
set dstaddr "MISP_IP_List"
set action deny
set schedule "always"
set service "ALL"
next
end
GNU PUBLIC v3.0 License