Technical Tip: How to block Malicious address via ISDB

FortiGate uses the ISDB service, which requires an active subscription. It is necessary to ensure that the FortiGate device has a valid subscription for the FortiGuard services, including ISDB. The status of the FortiGuard service can be checked under System -> FortiGuard. 

Using the following method, the Malicious IP addresses can be blocked for the pre-defined internet services. If the suspect IP is not in the pre-defined lists, a custom ISDB entry can be requested with the following article:

Technical Tip: Custom Internet Service Database (ISDB) entry creation on a FortiGate

For the Geography-based internet services, a custom entry can be created inside FortiOS, as explained in Technical Tip: How to create internet service database based on geographical information.

Blocking Malicious IP address(Predefined Internet Services):

Step 1: Go to Policy & Objects -> Internet Service Database -> Internet Services -> IP Address Lookup -> Search IP.

From CLI :

diagnose internet-service match <vdname> <ip> <netmask>

Step2: Create IPv4 Policy:

• Go to Policy & Objects -> IPv4 policy.
• Select 'create new'.
• Name: Provide any name.
• Incoming interface: Select the incoming interface.
• Outgoing interface: Select the outgoing interface.
• Source: Internet Service -> Select the Internet Service details obtained from IP address lookup.
• Destination: ALL.
• Schedule: Always.
• Services: ALL.
• Action: Deny.

From CLI:

config firewall policy
    edit 0
         set name "Malicious_Test_policy"
         set srcintf "port3"
         set dstintf "port1"
         set dstaddr "all"
         set internet-service-src enable
         set internet-service-src-name "Malicious-Malicious.Server" "Hosting-Bulletproof.Hosting"
         set schedule "always"
         set service "ALL"
         set logtraffic all
    next
end

 

Note:

In the latest firmware versions (above v7.0) the option for IPv4 policy is replaced with Firewall policy under Policy & Objects.