Skip to main content
peter-supply
peter-supply
New Member
December 6, 2024
Question

Blocking Private VPN IPs

  • December 6, 2024
  • 6 replies
  • 3272 views

We currently use Geoblocking to block access to external web servers from "unfriendly countries."  This works quite well.  However, we still receive a lot of malicious attacks from IPs from "friendly countries."  The majority of these IPs originate from private VPN providers.  Is there a way to block access from these IPs?  Thanks.

6 replies

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
December 6, 2024

If other legit accesses come from the same IPs, you obviously can't block it by "IPs" at L3 level.

 

Toshi

peter-supply
peter-supplyAuthor
New Member
December 6, 2024

Thanks.  I would like a "Private VPN" object that Fortinet provides, similar to the Geoblock Country object list, that Fortinet provides now.  This would allow us to block all access from Private VPN IPs; the list would be updated as part of the regular security updates.

sjoshi
Staff
sjoshi
Staff
December 6, 2024

You can also setup threat feed

https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/9463/threat-feeds

Thanks, Salon
Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
December 6, 2024

I see "VPN-Anonymous.VPN" category in the internet service list when I seached with a keyword "VPN".
https://www.fortiguard.com/search?q=VPN&engine=1&type=isdb
It says "VPN - Servers providing Anonymizing VPN service, such as NordVPN". If this is what you're looking for you can use it in the policy as a source address to block them.

Toshi

peter-supply
peter-supplyAuthor
New Member
December 6, 2024

I do not have the option to create a new address object based on "Anonymizing VPN Service."

peter-supply
peter-supplyAuthor
New Member
December 6, 2024

Looks like Fortinet used to have this option: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-incoming-traffic-from-anonymity/ta-p/194132?externalID=FD40199

 

The "Anonymous Proxy" option is no longer there.

peter-supply
peter-supplyAuthor
New Member
December 6, 2024

We use a Netscaler to front the web servers now.  So yes, we use "VIP," but on the Netscaler, not the Fortigate.  The Netscalers are behind the Fortigate.  If I try to add the way you illustrate in your screenshot, I receive a message "Source addresses/groups must have different IP versions than source Internet Services."

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
December 6, 2024

Of course my snippet was not "complete". I just showed how to add the "VPN" category. You have to finish all config to match your environment including the destination IP.
If still doesn't work, share us the screenshot.

Toshi

peter-supply
peter-supplyAuthor
New Member
December 6, 2024

Yes, I did fill out the entire rule.  I believe the error, "Source addresses/groups must have different IP versions than source Internet Services" was related to the fact that I was trying to add VPN-Anonymous to an existing DENY rule.  I created a new DENY rule with just the VPN-Anonymous group in it, and I was able to save it.  However, when I connect to my NordVPN, I am able to access all of our external websites.  So the rule isn't triggering for some reason.

 

VPN Block.png

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
December 6, 2024

Then you likely need to open a ticket at TAC and get it troubleshot. It's difficult to do that over this community thread "half-duplex" conversation without getting in your FGT.

Toshi

Terms & ConditionsAccessibility statement