Skip to main content
bfakhriddi
bfakhriddi
New Member
August 31, 2021
Question

blocking policy

  • August 31, 2021
  • 2 replies
  • 7918 views

I created address group with specific IPs of the ransomware group to block, created policy to block from WAN to LAN with that source address group. Do i need to move this policy to the top because of its more specific then others allowing policies? 

    2 replies

    emnoc
    emnoc
    New Member
    August 31, 2021

    ANS: yes

     

    Did you run "diag debug flow" and see what policy-id is matching? Your new policy needs to be higher and more specific policy are always placed 1st

     

    Ken Felix

    TecnetRuss
    TecnetRuss
    Visitor III
    August 31, 2021

    Yes, the Deny policy needs to be at the top of the list because they are evaluated top down with the first (top-most) matching policy (Deny or Allow) being the policy that is applied, regardless of whether a more specific policy lower down also matches.

     

    Also note that specifically for WAN to LAN policies where NAT is involved you have to also do one of two extra steps:

    [ol]
  • If you have the policy's destination set to "all" the policy won't work unless you have "match-vip" enabled in the policy.  Right-click the policy in the list and select "Edit in CLI" then type "set match-vip enable" then "end".
  • Alternatively, set the destination of the policy to be your VIP object(s).[/ol]

    Russ

    NSE7

     

     

    • bfakhriddi
    bfakhriddiAuthor
    New Member
    August 31, 2021

    Yes I have destination set to all , but why do I need match-vip enabled if I dont have VIP setup? I have just a address group of 4 public ip to block coming from WAN.  

    I found this one https://kb.fortinet.com/kb/documentLink.do?externalID=FD46540    has nothing about VIPs, confused. 

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    September 3, 2021

    Majority of ransomware is delivered in phishing email. Then if it's not filtered by something inspecting the content of email then the recipient of the email carelessly opened an attachment or click a link to download a ransomware, it would start copying itself to all reachable devices.

    I don't know what kind of address list you got, but unless your address list is to block incoming email, I would apply whatever the blocking policy you created with the addresses to in-to-out direction to block any downloading from those sites.

    Terms & ConditionsAccessibility statement