diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2af080ad..62790ee1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -18,6 +18,7 @@ The **patch** part changes incrementally at each release.
 * evocheck: the crontab is updated by the role (default: `True`)
 * evolinux-base: add mail related aliases
 * fail2ban: add a variable to disable the ssh filter (default: `False`)
+* fail2ban: add a variable to update the list of ignored IP addresses/blocs (default: `False`)
 * generate-ldif: detect installed packages even if "held" by APT
 * java: support for Oracle JRE
 * kibana: log messages go to /var/log/kibana/kibana.log
diff --git a/fail2ban/README.md b/fail2ban/README.md
index d13dbb25..99ab0ae3 100644
--- a/fail2ban/README.md
+++ b/fail2ban/README.md
@@ -12,7 +12,8 @@ Main variables are :
 
 * `general_alert_email`: email address to send various alert messages (default: `root@localhost`).
 * `fail2ban_alert_email`: email address for messages sent to root (default: `general_alert_email`).
-* `fail2ban_ignore_ips`: list of IPs to ignore (default: empty).
+* `fail2ban_default_ignore_ips`: default list of IPs to ignore (default: empty).
+* `fail2ban_additional_ignore_ips`: additional list of IPs to ignore (default: empty).
 * `fail2ban_disable_ssh`: if true, the "sshd" filter is disabled, otherwise nothing is done, not even enabling the filter (default: `False`).
 
 The full list of variables (with default values) can be found in `defaults/main.yml`.
diff --git a/fail2ban/defaults/main.yml b/fail2ban/defaults/main.yml
index 06cd9d51..d983b32a 100644
--- a/fail2ban/defaults/main.yml
+++ b/fail2ban/defaults/main.yml
@@ -2,8 +2,12 @@
 general_alert_email: "root@localhost"
 fail2ban_alert_email: Null
 
+# Note: there are 2 variable to allow various overrides, but they are merged.
+# "127.0.0.1/8" is always added to the list, even if the following lists are empty.
 fail2ban_default_ignore_ips: []
 fail2ban_additional_ignore_ips: []
+# WARN: setting this to True will overwrite the list of ignored IP
+fail2ban_force_update_ignore_ips: False
 
 fail2ban_wordpress: False
 fail2ban_roundcube: False
diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml
index e9bd0482..3c6fea69 100644
--- a/fail2ban/tasks/main.yml
+++ b/fail2ban/tasks/main.yml
@@ -28,6 +28,17 @@
   tags:
   - fail2ban
 
+- name: update ignoreips lists
+  ini_file:
+    dest: /etc/fail2ban/jail.local
+    section: "[DEFAULT]"
+    option: "ignoreips"
+    value: "{{ fail2ban_ignore_ips | join(' ') }}"
+  notify: restart fail2ban
+  when: fail2fail2ban_force_update_ignore_ips
+  tags:
+    - fail2ban
+
 - name: Disable SSH filter
   ini_file:
     dest: /etc/fail2ban/jail.local