blackhole routing

If you have ips sensor ( it seems like you do ) than you quarantine the attacker srcs. Set the quarantibne value to be like 1 hr or better yet screw them and make it 1day. Adjust and monitor the attacking sources.

So rather than using a blackhole you think I should go into my 100D, Security Profiles, Intrusion Protection, create a new filter for this type of attack and quarantine the attacker for a day rather than block it? Just making sure I understood you correctly..... I was under the impression that blackholing it - no response - would be a better way to go. Not sure I understand why it isn' t.

No, you take the exist sensor and the ips rule that you are using from fortinet and select block and quarantine. You don' t have to craft any new filters Just ensure it' s a true positive. I would also geo block ( depending on your version of FortiOS ) locations that you don' t expect connections. But really, you should patch/update the effected server(s) imho. This is the perm fix. The HRTBLD vulnerability has been out for quite some time and most applications has a fix out.

I can block or quarantine but not both. All of our servers are patch and no longer vulnerable. It' s more of an annoyance that I keep seeing these IPS alerts. Getting about 10 a day.

What version of fortiOS and I have to say your mistaken. Under every version of ForiOS you have some type or quarantine setting in 5.2GA it' s even simple as american pie config ips sensor edit " ips_sen01D0001" set comment " prevent ips attacks" config entries edit 1 set severity medium high critical next edit 2 set rule 29027 set status enable set action block set quarantine attacker <----here set quarantine-expiry 1200 <---here set rate-count 200 set rate-duration 10 <---here set rate-track src-ip < set the track dst or src here next The reason why I say to quarantine is you don' t have todo anything manually like; add blackhole routes remove blackhole ( when the attackers die off ) reduce falase positives or block somebody by accident and forget about them That' s why I say quarantine there butts is way better, simple and is 3 clicks or less for configurations. I leave you with two thoughts; 1> would your rather keep monitor your logs and adding/removing entries in the blackholes or 2> configure your 1 ips HRTBLEED entry and forget about it Your call, but #2 is what I would do. I' ve built exact this using the snort fox signatures and don' t even both to look at it other than monitoring my ips alerts. Also I geo block most of the attackers sources by countries that I have zero need for and like 90-95% of these attacks died off the 1st day.

Another thing to add here: action should be set to block, not reset so the FortiGate dont respond by any mean. this will imply no live host to the attacker.

Also " blackhole route" is more for network devices to drop traffic silently e.g during DDoS attack. Problem with that the destination will be unreachable for everyone, not only for the attacker. On a firewall you achieve the same with a firewall policy and like what previously was said, you don' t have to manually enable/disable the route. It' s not a route you want to drop I guess, but specific packets from a source.