Skip to main content
WebGregGit
WebGregGit
Visitor III
October 11, 2022
Question

Block traffic with IP from the black list (not only spam)

  • October 11, 2022
  • 3 replies
  • 9087 views

Hi

 

I have FortiGate 200F. 

 

I detect various disturbing connections from different addresses. At the moment, the intense ones - I manually add to the blocked. Unfortunately, it is not effective and very engaging.

These addresses are usually on some blacklists, such as zen.spamhaus.org. I am sure that a device of this class can automate the blocking of traffic coming from addresses on blacklists. But I don't know how to set it up. Any advice?

 

Security Profiles > DNS Filter > profile > External IP Block Lists options. 

Is this the right direction?

 

Do you have any addresses attached to them that you can share?

3 replies

Yurisk
SuperUser
Yurisk
SuperUser
October 11, 2022

Hi, DNS Filter is for LAN/Internal users potentially browsing to malicious sites on the Internet. As I understand you observe incoming from the Internet potentially bad IPs, for this you'd rather use External Fabric Connector to set Fortigate dynamically download 3rd party threat feeds and then use them in WAN -> LAN rules with action Block. 

 

You may read more here: https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/9463/threat-feeds

 

    gfleming
    Staff
    gfleming
    Staff
    October 11, 2022

    Excellent response from Yurisk already. Just want to add you can also set up IPS filters (if you have that feature via FortiGuard subscription) to automatically detect attacks and block them and optionally quarantine the attacking IP addresses.

     

    https://docs.fortinet.com/document/fortigate/7.2.2/administration-guide/565562/intrusion-prevention

     

    This can work in conjunction with the Fabric Connector threat feeds as already advised.

    dairu
    dairu
    New Member
    October 12, 2022

    Great tips from other contributor. Found this helpful youtube video as guide on how you can establish External Fabric Connecor as what Yurisk has already mentioned:

    https://www.youtube.com/watch?v=CarI6_URN90

    WebGregGit
    WebGregGitAuthor
    Visitor III
    October 12, 2022

    Thank you all for the tips. The easiest for me was from @dairu. I added a few lists, but for example I was not able to add:  http://wget-mirrors.uceprotect.net/rbldnsd-all/dnsbl-2.uceprotect.net.gz  (bad format). 
    I also created my own file where I manually add addresses, but it doesn't make sense - what I will block in a moment, the "enemy" tries from a different address anyway. The never ending story.

     

    @gfleming - I set a high security IPS profile for the policy but I don't see any effect - still huge traffic on port 53.

    gfleming
    Staff
    gfleming
    Staff
    October 12, 2022

    OK let's explore a bit more the exact nature of the traffic you are seeing. Lots of traffic on port 53 could be evidence of a DDOS attack. Can you share what the traffic looks like. Is it many different sources hitting your IP on port 53?

     

    Do you have port 53 open and exposed on the internet? If so, you might want to reconsider as most people do not need it. If not, then check DOS policy:

     

    You might do well to look at a DOS Policy: https://docs.fortinet.com/document/fortigate/7.2.2/administration-guide/771644/dos-policy

     

     

    Terms & ConditionsAccessibility statement