New Member

Question

black list public ip IKE protocol

Forum|Forum|7 years ago
June 4, 2018
3 replies
17273 views

Hi,

I use FG600D (Fortios V5.4.5) with 30 VPN (IKE) but since few weeks i have trouble with some public ip like 216.218.206.126. Each night i have a lot of attempts to establish VPN IKE. This public ip is not public ip of my company.

For example :

Message meets Alert condition

date=2018-06-03 time=04:47:33 devname=FW-BLC-1 devid=FGT6HDXXXXXXX logid=0101037128 type=event subtype=vpn level=error vd=root logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action=negotiate remip=[style="background-color: #ffff00;"]216.218.206.102[/style] locip=xxx.xxx.xxx.xxx remport=24916 locport=500 outintf="IP-Pub-Complete" cookies="3e35c70729dfedef/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status=failure init=remote mode=main dir=inbound stage=1 role=responder result=ERROR

I try to use local in policy but i don't understand how. In my all Fortigate i saw local in policy in GUI but in CLI i have nothing.

Please could you tell me if it's the good way to block unwanted public ip ? and if it's the good way could you explained me how can i do ?

In Example i found, all people explain to choose wan interface for source but i don't know which destination interface i must select.

Thank you,

François

Markus

New Member

Hi, There is a similar post here https://forum.fortinet.com/tm.aspx?tree=true&m=160521&mpage=1 that should help. Best, Markus

FrancoisSogeclairAuthor

New Member

Thank you Markus for your reply but i don't understand why i can't see local policy in CLI ?

In example gave by Stuart he explained i use "edit 1" but in my case i don't have any policy. If i do "edit 1" i create a new policy.

At the same time in GUI i have aproximatively 80 or 100 local in policy.

Thank you for help,

Toshi_Esumi

SuperUser

I don't think local-in policy is available in GUI. You must be talking about regular firewall/security policies in GUI. If you don't see anything under "configure firewall local-in-policy", you don't have "local-in" policy yet. So edit 1 or edit 0 create a new policy with id:1.

Toshi_Esumi

SuperUser

When you create an interface-mode IPSec vpn, the interface is automatically created with the same name of phase1-interface name. Then you should configure the tunnel interface IP w/ /32 mask as well as a remote-ip. That would be used for all routing. All ipsec attempts to the same phy interface ip are examined with IPsec tunnels configured on the interface.

If you don't spcify IKE as service and want to block everything from the source, you need to use the phy interface. But if you want to block any irrelevant IPSec attempts by specifying IKE, you might need to use the tunnel interface. I'm not sure though. Then you should leave the destination blank.

If you block one side for IKE (that's all you can do for any attacks), the IKE negotiation can't be completed and fail. The source might keep trying but that's not what you can control or avoid unless your upstream router blacklists the source IP.

Bruno_Pereira

New Member

you noticed a scan coming from this server across your network and/or poking at a service that you have running. The Shadowserver Foundation is currently undertaking a project to search for publicly accessible devices that have services running that should not be exposed because they are trivial to exploit or abuse. The goal of this project is to identify hosts that have these types of services exposed and report them back to the network owners for remediation. Further details on this scanning project can be found on our blog at: http://blog.shadowserver....the-internet-improves/ Statistics on these scans can be found at: http://blog.shadowserver....nnings-and-statistics/ If you would like to sign up for reports on any data that we have collected on your network, you can request them from here: https://www.shadowserver....etReportsOnYourNetwork All of the probes that are used in our tests are benign and do not ( and will never ) contain exploit code. Scans with these types of tools are off-limits for us. All the data that we collect is visible to anyone who connects to a particular host with on the proper port using the proper commands. If you have any more questions please feel free to send us an email at:

ericli_FTNT

Staff

François wrote:
Hi,

I use FG600D (Fortios V5.4.5) with 30 VPN (IKE) but since few weeks i have trouble with some public ip like 216.218.206.126. Each night i have a lot of attempts to establish VPN IKE. This public ip is not public ip of my company.
For example :
Message meets Alert condition
date=2018-06-03 time=04:47:33 devname=FW-BLC-1 devid=FGT6HDXXXXXXX logid=0101037128 type=event subtype=vpn level=error vd=root logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action=negotiate remip=[style="background-color: #ffff00;"]216.218.206.102[/style] locip=xxx.xxx.xxx.xxx remport=24916 locport=500 outintf="IP-Pub-Complete" cookies="3e35c70729dfedef/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status=failure init=remote mode=main dir=inbound stage=1 role=responder result=ERROR

I try to use local in policy but i don't understand how. In my all Fortigate i saw local in policy in GUI but in CLI i have nothing.
Please could you tell me if it's the good way to block unwanted public ip ? and if it's the good way could you explained me how can i do ?

In Example i found, all people explain to choose wan interface for source but i don't know which destination interface i must select.

Thank you,
François

I would suggest you configure an ACL on that interface to drop any packets from unwanted source and terminate on your device.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded