New Member

Question

Block external IP addresses

Forum|Forum|7 years ago
April 11, 2019
3 replies
34714 views

Dear Techies, I'm new to Fortigate and new to the forum. Anyway, I have a problem configuring policies for blocking unwanted access from some external/malicious IP addresses. Here's what I did. == GBSP-FW1 # sh firewall policy 103 config firewall policy edit 103 set name "WAN to LAN" set uuid 76f191b8-5c56-51e9-9c22-4672edcc21a6 set srcintf "wan1_outside-interface" "wan2_outside-interface" set dstintf "port1_inside-interface" set srcaddr "GROUP-Block-Countries" set dstaddr "all" set schedule "always" set service "ALL" set logtraffic all set fsso disable next end Action is set to "DENY" (through the GUI) Log Violation Traffic - enabled Enable this policy - enabled == With in the "GROUP-Block-Countries" group. config firewall address edit "BC - China" set uuid cd09f5ba-5c54-51e9-a7ac-48d279294f0c set type geography set color 25 set country "CN" next edit "BC - Russia" set uuid f5fb6106-5c55-51e9-2946-f2aba7123c50 set type geography set color 25 set country "RU" next edit "BC - South Korea" set uuid 6a6eb5b4-5c57-51e9-3125-870fd87fe86a set type geography set color 25 set country "KR" next edit "BC - Ecuador" set uuid 9d6540b4-5c61-51e9-0b4a-1148a4f24cdb set type geography set color 25 set country "EC" next edit "BC - United Kingdom - 81.94.192.0/20" set uuid 366a8746-5c63-51e9-72f7-2d7cee735d2f set color 25 set subnet 81.94.192.0 255.255.240.0 next edit "BC - United States - 70.224.0.0/17" set uuid f47650fc-5c64-51e9-5bec-3ce96a95b35c set color 25 set subnet 70.224.0.0 255.255.128.0 next edit "BC - United States - 137.139.0.0/16" set uuid b4eb494e-5c67-51e9-42ac-36d9851b84e2 set color 25 set subnet 137.139.0.0 255.255.0.0 next edit "BC - United States - 21.0.0.0/8" set uuid b4f7fd92-5c67-51e9-94eb-798bb2186b0d set color 25 set subnet 21.0.0.0 255.0.0.0 next end == I have put the policy at the very top of the list. However, when I try accessing FortiGate from a blocked IP address (from home), I can still can ping, and get through and no traffic were recorded to the policy log. Am I missing any steps or is there any other way? Any help would be appreciated. Thank you guys. Fortigate 100E v6.0.3 build0200 (GA)

andre_amaro

New Member

Hello philv,

I do not understand exactly what you want to do. Do you want to block a specific IP that accesses your environment or prevent access to firewall management over the internet?

philvAuthor

New Member

I'm simply trying to block China, Russia, external IP's, etc. from pinging, accessing our website, accessing any ports. Or getting through our firewall.

Thanks for the quick reply...

seadave

New Member

We create an Address Group called Block_Countries_In (we also have one for outbound).

We add GEO Addresses to that Group. It is always good to keep your groups of the same type. Don't mix, FQDNs, GEOs, etc. I think that might be your issue. Create two unique groups, maybe even two polices. One for GEO and one for Subnets. Make them your first policies or near the top of your rule set.

Here is our show full policy (we are on 6.0.3) for our GEO block rule:

config firewall policy edit 27 set name "In WAN1 - Deny GEO" set uuid d0b57172-a271-51e4-867d-3eaf7fdb3219 set srcintf "port9" <----- This is WAN set dstintf "port1" <------This is LAN set srcaddr "Block_Countries_In" set dstaddr "all" set internet-service disable set rtp-nat disable set learning-mode disable set action deny set status enable set schedule "always" set schedule-timeout disable set service "ALL" set dscp-match disable set logtraffic all set logtraffic-start disable set np-accelation enable set session-ttl 0 set vlan-cos-fwd 255 set vlan-cos-rev 255 set wccp disable set natip 0.0.0.0 0.0.0.0 set diffserv-forward disable set diffserv-reverse disable set tcp-mss-sender 0 set tcp-mss-receiver 0 set comments '' set block-notification disable set replacemsg-override-group '' set srcaddr-negate disable set dstaddr-negate disable set service-negate disable set captive-portal-exempt disable set ssl-mirror disable set scan-botnet-connections disable set dsri disable set radius-mac-auth-bypass disable set delay-tcp-npu-session disable set send-deny-packet disable set match-vip enable next end

We do the opposite for traffic outbound to hostile nations. You need both to be secure. Of course IPs can be spoofed, but like you said, this cuts out a lot of the chaff and scan bots that are always knocking.

TecnetRuss

Visitor III

The reason it isn't working, and this is not intuitive, is that for NAT WAN to LAN policies the destination has to be a VIP even for Deny rules (destination = any won't work) unless you use the "set match-vip enable" setting as shown in SeaDave's config.

So, you can either change your Destination from "any" to the VIPs you want to block from receiving this traffic, or you can add "set match-vip enable" to your policy.

Russ

TheAnalogKid

New Member

Well, boys, I'm up a creek. I've pored over this thread and it's not working.

I've created GEO and IP range groups to block traffic hitting my WAN from CN and Soviet Russia. I've copied and pasted, setting srcint to WAN and dstint to LAN. I set srcaddr to "Block_Countries_In" and several other addresses I created and dstaddr to all.

I put in all the commands suggested by seadave (although I am running 5.2, so it did not take "internet-service disable" or "learning-mode disable").

I put in "set match-vip enable" as TecnetRuss suggested, because "destination = any won't work unless you use the "set match-vip enable" setting as shown in SeaDave's config," as he said.

I enabled the policy and put it at #1.

And despite it all, I still get this.

Some asswipe in China is still trying to get in. My firewall policy, alas, is a miserable failure. He is probably laughing at me.

Why can't I manage to block 1 measly IP address? It's clearly stated in my firewall policy, right there, at #1. Will anyone spare me this shame and embarassment?

ede_pfau

SuperUser

Traffic to the FGT itself is controlled by 'Local In' policies, not the regular firewall policies.

Show us what you've configured, from CLI (as text), i.e. "config firewall local-in-policy".

Second, do you use VIPs on your WAN interface at all?

BTW, you could edit your last post and upload a picture...my mouse gets lame from scrolling...

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded