Skip to main content
kkeane
kkeane
New Member
February 26, 2015
Solved

Blocking a list of IP addresses?

  • February 26, 2015
  • 2 replies
  • 23980 views

FortiOS 5.2.2 on an FWF40

 

I'm looking for a way to block a fairly large, and dynamic, list of IP addresses, managed from the CLI. There will probably be 1000 or more individual IP addresses, in various places all over the Internet. The use case is that I want to use the denyhosts script on my Linux servers to detect brute-force attempts, and block the IP addresses it collects not just within the server, but at the Fortigate level.

 

With a small and static list of IP addresses, this is of course fairly straightforward:

- config firewall address for each of the addresses

- config firewall addrgroup and add each of the addresses to the group

- config firewall policy to deny all traffic from that group.

 

I don't think this approach scales well to a large list of IP addresses, nor does it lend itself to frequent updates.

Is there a better way I could accomplish the same thing?

 

    Best answer by Dave_Hall

    Use the search feature at the top of this page -- you should be able to find some posts involving scripting a solution to what you are requesting.   Keep in mind that there is a hard-coded limit to the number of firewall addresses/address groups that you can create. 

       

    Considering you are using a WFW40, you may run into performance issues -- you may want to look into other means to block unwanted IP addresses, including setting up trusthost admin access, allowaccess on the interface, blocking IP by country region (geography), and local-in-policy.           

    2 replies

    Dave_Hall
    Dave_HallAnswer
    New Member
    February 26, 2015

    Use the search feature at the top of this page -- you should be able to find some posts involving scripting a solution to what you are requesting.   Keep in mind that there is a hard-coded limit to the number of firewall addresses/address groups that you can create. 

       

    Considering you are using a WFW40, you may run into performance issues -- you may want to look into other means to block unwanted IP addresses, including setting up trusthost admin access, allowaccess on the interface, blocking IP by country region (geography), and local-in-policy.           

    kkeane
    kkeaneAuthor
    New Member
    February 26, 2015

    I tried the search first, of course, but didn't find anything to answer my question.

    Agreed re. there being a performance penalty (and also the probability that there is a limit on the number of objects FortiOS can handle). That's what I had mind when I was concerned about scalability. I was hoping for something like Linux' ipset, which was created specifically to address those issues within iptables.

     

    In any case, thank you for your reply!

    Terms & ConditionsAccessibility statement