This article describes how to ban an IP address on the FortiGate by using an automation stitch for a failed IPsec connection.
Scope
FortiGate.
Solution
Create an automation stitch and select trigger and create a trigger for FortiOS Event Log and select ‘IPsec connection failed’:
Creating automation stitches | FortiGate / FortiOS 7.4.4 | Fortinet Document Library
Create a CLI script as an action and run this command to ban or quarantine an IP address by using this command:
diagnose user quarantine add src4 %%log.epip%% 9504000 admin
Note: After v7.2 and onwards, banned-ip is used instead of quarantine.