Skip to main content
Umesh
Umesh
Explorer II
April 22, 2022
Solved

how to block bulk public ips in fortigate

  • April 22, 2022
  • 4 replies
  • 20500 views

Dear All,

 

Greetings,

 

Just I want to know in FortiGate is there any feasible solution If I want to block bulk public IPs.

For example - 1.1.1.1/32

 

Note - I have to block around 2500 public IPs in our organization at the FortiGate firewall..

 

So please anyone can make me understand to block these IPs.

 

Please also share a Road map to block these IPs if you know.

 

Thank you

 

Best answer by Yurisk

Yes, you have to host the block list on HTTP server in your network if it is a custom block list, not one bought from 3rd party provider. Then you create External Fabric connector with URL of this server for Fortigate to download the feed. 

See screenshot attachfortinet.forum-external-feed.pnged. For more details you can also see my post here: Using external threat feeds in FortiGate has become much easier with 6.0 and 6.2 versions 

 

HTH

4 replies

seshuganesh
Staff
seshuganesh
Staff
April 22, 2022

Hi Team,

 

The best way is to use threat feeds.

Please follow this article for the same:

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/9463/threat-feeds
You can use this article for the same.

You require webserver where you need to host one text file with all those ip address.

Umesh
UmeshAuthor
Explorer II
April 22, 2022

Hi dear,

 

Is there any external servers we need to create or something else we have to do for it.

Yurisk
SuperUser
YuriskAnswer
SuperUser
April 22, 2022

Yes, you have to host the block list on HTTP server in your network if it is a custom block list, not one bought from 3rd party provider. Then you create External Fabric connector with URL of this server for Fortigate to download the feed. 

See screenshot attachfortinet.forum-external-feed.pnged. For more details you can also see my post here: Using external threat feeds in FortiGate has become much easier with 6.0 and 6.2 versions 

 

HTH

vdralio
Staff
vdralio
Staff
April 22, 2022

Dear Umesh,

 

You can use a Webserver, internal network, or external network, that FortiGate can reach and retrieve the list of IP addresses you have added.

Like in the article below:

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/891236/external-block-list-threat-feed-policy

 

config system external-resource    edit "test-external-iplist-1"       set status enable       set type address       set username ''       set password ENC        set comments ''       set resource "http://10.6.30.55/ip_list_test/test-external-iplist-2.txt" <---       set refresh-rate 15    next end

 

 So you can put on the webserver the file that can be reached from HTTP.

 

Best Regards,

Vasil 

A
Anonymous_User
Contributor
April 22, 2022

Hi,

One way to block access to your fortigate from the public IPs is to configure a local-in-policy.

 

For example:

configure address object

config firewall address
edit public_IP_to_block
set subnet 1.1.1.0 255.255.255.0
next
end

 

If you have multiple subnets to block, You can configure more address-object and make an Address-object group

config firewall local-in-policy

edit 1

set intf wan1
set srcaddr "public_IP_to_block" <--- Address-object or address-object-groupe
set dstaddr All <--- it can be all or you can define any address group ( like for block access to WAN1, configure an address-object for that WAN IP)
set action deny
set service All
set schedule "always"

end

 

Umesh
UmeshAuthor
Explorer II
April 23, 2022

Hi Mahboob,

I have around 5000 IPs which has to be blocked in the Fortinet firewall, you know is it possible to block them one by one, as I know it is very tough work for me. do you have any feasible solution ???

for it.

A
Anonymous_User
Contributor
April 23, 2022

Ho Umesh, 

You can configure as many as address-object (even with different types) and make a address-group of all these address-object and set this addr as srcaddr in local-in-policy
And if in future you need to add any new address-object, just create and add it into address-group.

Below is an Example for your refrence


config firewall address
edit "1"
set type iprange
set start-ip 10.10.10.0
set end-ip 10.10.10.200
next
edit "2"
set type geography
set country "AU"
next
edit "3"
set subnet 172.16.0.0 255.255.0.0
next
end

 

config firewall addrgrp
edit "block_groupe"
set member "1" "2" "3"
next
end

 

config firewall local-in-policy
edit 1
set intf "wan1"
set srcaddr "block_groupe"
set dstaddr "all"
set schedule "always"
next
end

 

 

Terms & ConditionsAccessibility statement