Question about deny policies and sessions

Forum|Forum|5 years ago
September 24, 2020
2 replies
3618 views

Hi, I am working with a bunch of Fortigates that only have outgoing policies from LAN to WAN. I was thinking about using IP list threat feeds for an extra layer of security. I thought I would insert a policy at the top, but would I put the IP block list as src IP or dest IP? Is there a point in creating a src block policy from the internet when there are no policies that accept traffic from the internet (i.e. I have no servers/VIPs). For example, if a user created a session with a malicious IP, that wouldn't checked by any WAN->LAN policies on the way back right? Thus I would need to create policies with the IP block lists as dest? This might be a dumb question, but I just want to be sure :)

Markus

New Member

Hi, and welcome to the forums. As long you doesn't have Vips, nor wan-lan policies, it makes no sense to create a wan-lan block policy.

If you want to protect the access FROM these Ips to the Fortigate it self, you have to deal with local-in policies. If you want to protect your clients and deny access to these ips, you create a denied policy at top of lan to wan. Source is any (or your client subnet) and destination your ip block list, as you guess right.

FrogginbullfishAuthor

New Member

Thanks very much for confirming - I just had to be sure. I am still fairly new to this game as you might have guessed! I didn't know about the local-in policies either, so thanks for mentioning those. The more you know.

Markus

New Member

No prob, glad to help. For local-in you have to enable the feature in system->feature visibility, to see it in the gui. But creating and managing local-in policies, this is only possible in cli. Another thing is also, if your blocking policy won't work, you have maybe to enable set match-vip enable in cli.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded