How to block traffic based on hostname or FQDN of bad bots on Fortigate 60D
Hey, I hope someone can help me. I use a Fortigate 60D as my external firewall. I have a Windows 2019 web server running a website on IIS. I am getting lots of robots on my website. I have already blocked other countries by adding a country block. It works perfectly. But now I am dealing with bad bots based in the United States visiting my website. This is an example of a visitor I would like to block:
| ISP: The Shadow Server Foundation |
| Usage type: Data Center/Web Hosting/Transit |
| Hotname: scan-40l.shadowserver.org |
| Domain: shadowserver.org |
Country: United States
|
| City: Pleasanton, California |
I believe the way to block this is by
1) Creating an FQDN entry under Policy & Objects > Addresses with shadowserver.org or *.shadowserver.org (wildcard) - or do I need to do both?
2) Then creating an IPv4 Policy to "Deny" incoming traffic to the FQDN address I created.
Is that correct? Am I missing something?
Also, in some cases the hostname and domain name of some of the bad bots are different. Which of the two do I select as the FQDN. I want to make sure I don't accidentally block good traffic.
If anyone could clear things up for me, that would be helpful. I am new to Firewalling but so far I love Fortigate. Seems like the community is pretty robust and willing to help.
PS: I have seen videos that teaches how to block common bots and bad actors with threat feeds but I think I need to subscribe to Fortiguard but I am not subscribed to it.