Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

DRUMDUDESAN
New Contributor

Created on ‎07-19-2018 11:55 AM

How to block IP Addresses from in/out of 500D?

Hi,
How to block IP Addresses from in/out of 500D? Where is the manual/video onr how do you block specific IP Addresses for any port in/out of the Fortigate 500D Firewall.
Thanks
Jeff

------------------------------
Jeff Gover [Designation]
IT Team Lead
[CompanyName]
[City] [State]
[Phone]
------------------------------
Labels:
1531
0 Kudos
5 REPLIES 5
DRUMDUDESAN
New Contributor

Created on ‎07-19-2018 01:28 PM

In other words I can not find this option in the 500D
https://docs.fortinet.com/uploaded/files/3987/fortios_firewall-56.pdf
IPv4 Access Control List
The IPv4 Access Control List is a specialized policy for denying IPv4 traffic based on:
l the incoming interface
l the source addresses of the traffic
l the destination addresses of the traffic
l the services or ports the traffic is using
The only action available in this policy is DENY
For more information on see Access Control Lists
To configure a IPv4 Access Control List entry in the GUI
1. Goto Policy & Objects > IPv4 Access Control List
The right side window will display a table of the existing IPv4 Access Control List entries.
l To edit an existing entry, double click on the policy you wish to edit
l To create a new entry, select the Create New icon in the top left side of the right window.
2. Set the Incoming Interface parameter by using the drop down menu to select a single interface.
3. Set the Source Address parameter by selecting the field with the "+" next to the field label. Single or multiple
options can be selected unless the all option is chosen in which case, it will be the only option. For more
information on addresses, check the Firewall Objects section called Addresses.
4. Set the Destination Address parameter by selecting the field with the "+" next to the field label. Single or
multiple options can be selected unless the all option is chosen in which case, it will be the only option.
5. Set the Services parameter by selecting the field with the "+" next to the field label. Single or multiple options can
be selected unless the ALL option is chosen in which case, it will be the only option. For more information on
services, check the Firewall Objects section called Services and TCP ports.
6. Toggle whether or not to Enable this policy.The default is enabled.
7. Select the OK button to save the policy.

------------------------------
Jeff Gover [Designation]
IT Team Lead
[CompanyName]
[City] [State]
[Phone]
------------------------------
1503
0 Kudos
HERBINET_Maxime
New Contributor
In response to DRUMDUDESAN

Created on ‎07-26-2018 08:20 AM

Hi,

alternatively, you can use :
- local-in policies : http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-firewall-52/Concepts/Security%20Policies/Local-In%20Policies.htm?Highlight=local-in%20policies
- blackhole route + RFP in strict mode

------------------------------
Maxime [LastName] [Designation]
Security Engineer
[CompanyName]
[City] [State]
[Phone]
------------------------------
1503
0 Kudos
DRUMDUDESAN
New Contributor
In response to HERBINET_Maxime

Created on ‎07-27-2018 07:16 AM

Hi,
I guess I am not making myself clear.

I tracked down an external VPN subnet range. I want to block the entire subnet coming in or out of our Firewall. I have found that our users are installing VPN software locally which was making it very hard to track them as the software was Mac address spoofing their LAN connections internally.

So to prevent them I want to block the entire subnet range.

Hope that makes sense.

Jeff


------------------------------
Jeff [LastName] [Designation]
IT Team Lead
[CompanyName]
[City] [State]
[Phone]
------------------------------
1503
0 Kudos
odd
New Contributor
In response to DRUMDUDESAN

Created on ‎08-02-2018 02:46 AM

Isn't the security profiles block this? Eg APP CTRL? 
Look for the app or use block proxy. I think this will do the trick.

/odd

------------------------------
Odd [LastName] [Designation]
IT Security Specialist / Senior IT Consultant
[CompanyName]
[City] [State]
[Phone]
------------------------------
1503
0 Kudos
rmoussa
Contributor
In response to DRUMDUDESAN

Created on ‎08-30-2018 01:14 AM

Hi,

If you you mean they are trying to negotiate IPSEC VPN with your fortigate, then it cannot be blocked using policies.
You need to use Local-in policies in CLI.

config firewall local-in policy

Regards
Rony

------------------------------
Rony Moussa
Fortinet NSE Certified: Level 8
------------------------------
Rony Moussa
Fortinet NSE Certified: Level 8
Rony MoussaFortinet NSE Certified: Level 8
1503
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.