How do you properly block a specific IP or netblock?

Question

I've tried many times in the past to try and block IPs in our FortiGate 60E (firmware v5.6.3 build1547 (GA)) and I must say it's the most convoluted and confusing UI I've used to date. Which is why I'm here asking what I'm doing wrong. What I've typically done is create a new address and then set it to deny in the IPv4 Policy.

(step1.png)

Policy & Objects -> Addresses Create New -> Address Name: "45.141.84.162/32 20200805" Type: Subnet Subnet/IP Range: 45.141.84.162/32 Interface: wan1 (or all)

(step2.png) Policy & Objects -> IPv4 Policy Create New Name: "Block 45.141.84.162" Incoming Interface: wan1 Outgoing Interface: internal Source: "45.141.84.162/32 20200805" Destination: all Schedule: always Service: ALL Action: DENY Enable this policy: Checked

But i then still see traffic coming through as if it did nothing. I've also tried using IP ranges of 45.141.84.162-45.141.84.162 and that has done nothing as well. So far the only way I've seen to actually stop an IP address is to ban the IP.

FortiView -> Traffic From WAN -> Sources Filter on Source and IP Right-Click on the IP and select Ban IP I can then see the banned IP under Monitor -> Quarantine Monitor. But even then I can only ban a single IP, i can't ban a netblock. Is there a better way of going about this?

TecnetRuss · Accepted Answer

You just need to set the "match-vip enable" setting in your Deny rule.

[ol]

Right-click on your Deny policy and select "Edit in CLI"

Type "set match-vip enable" and press Enter.

Type "end" and press Enter.[/ol]

Your Deny rule will now match inbound traffic that matches any of your VIPs.

Alternatively you can set the destination of your Deny rule to all of your VIPs instead of "All". I know it's a bit counterintuitive but the problem is that inbound traffic destined for your VIP doesn't match the "All" destination. That's why your current rule is still allowing traffic through.

This is only only necessary for WAN to LAN IPv4 rules where NAT (VIPs) are involved. For IPv6 deny policies or VLAN-to-VLAN deny policies this isn't necessary.

Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD33338

Local-in Policies is a third method you can use to block traffic as Toshi mentions.

Russ

NSE7

Toshi_Esumi · Answer

Do you have VIPs and policies to allow traffic from the wan1 to internal? Then this policy should work as long as you placed it at the top of policies.

Instead, if you want to block traffic into the FGT without any allow policies in place, you need to use local-in policy instead. You might need to use CLI to configure it though. It can block any login attempt via HTTP/HTTPS/SSH, etc. as well as VPN attempts into the FGT. You can find many config examples on the internet with some key words like "fortigate local in policy".

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded