Skip to main content
mattchow_FTNT
Staff
mattchow_FTNT
Staff
April 1, 2021

Technical Tip: How to avoid IPSec VPN generate blocked IP log

  • April 1, 2021
  • 0 replies
  • 1906 views
Description
This article describes how to use access control list to avoid VPN generate log for IPSec blocked IP.

Solution
Partial packet flow ingress as shown below:





Access control list will be dropping the packet before it reach IPsec VPN decryption process, so no repeated VPN log can be seen for those IP blocked by access control list.

Sample configuration:

To block VPN traffic from particular IP address trying to reach from WAN from CLI:
# config firewall acl
    edit 1
       set interface "WAN"
       set srcaddr "block_ip"
       set dstaddr "wan_interface_ip"
       set service "udp_500_4500"
    next
end

*block_ip              <----- IP addresses trying to establish the IPsec from outside.
*wan_interface_ip  <----- IPsec listening interface IP.
*udp_500_4500     <----- IPsec service port udp 500 and udp 4500.

Important Notice:

ACL is supported on the following FortiGate models:
- 100D, 100E, 100EF, 101E
- 140D, 140D-POE, 140E, 140E-POE
- 1200D, 1500D, 1500DT
- 3000D, 3100D, 3200D, 3700D, 3800D, 3810D, 3815D
- All 300E and larger E-series models
- All 100F and larger F-series models

References:

Access Control Lists(ACLs).

Terms & ConditionsAccessibility statement