Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

DRUMDUDESAN
New Contributor

How to block IP Addresses from in/out of 500D?

Hi,
How to block IP Addresses from in/out of 500D? Where is the manual/video onr how do you block specific IP Addresses for any port in/out of the Fortigate 500D Firewall.
Thanks
Jeff

------------------------------
Jeff Gover [Designation]
IT Team Lead
[CompanyName]
[City] [State]
[Phone]
------------------------------
5 REPLIES 5
DRUMDUDESAN
New Contributor

In other words I can not find this option in the 500D
https://docs.fortinet.com/uploaded/files/3987/fortios_firewall-56.pdf
IPv4 Access Control List
The IPv4 Access Control List is a specialized policy for denying IPv4 traffic based on:
l the incoming interface
l the source addresses of the traffic
l the destination addresses of the traffic
l the services or ports the traffic is using
The only action available in this policy is DENY
For more information on see Access Control Lists
To configure a IPv4 Access Control List entry in the GUI
1. Goto Policy & Objects > IPv4 Access Control List
The right side window will display a table of the existing IPv4 Access Control List entries.
l To edit an existing entry, double click on the policy you wish to edit
l To create a new entry, select the Create New icon in the top left side of the right window.
2. Set the Incoming Interface parameter by using the drop down menu to select a single interface.
3. Set the Source Address parameter by selecting the field with the "+" next to the field label. Single or multiple
options can be selected unless the all option is chosen in which case, it will be the only option. For more
information on addresses, check the Firewall Objects section called Addresses.
4. Set the Destination Address parameter by selecting the field with the "+" next to the field label. Single or
multiple options can be selected unless the all option is chosen in which case, it will be the only option.
5. Set the Services parameter by selecting the field with the "+" next to the field label. Single or multiple options can
be selected unless the ALL option is chosen in which case, it will be the only option. For more information on
services, check the Firewall Objects section called Services and TCP ports.
6. Toggle whether or not to Enable this policy.The default is enabled.
7. Select the OK button to save the policy.

------------------------------
Jeff Gover [Designation]
IT Team Lead
[CompanyName]
[City] [State]
[Phone]
------------------------------
HERBINET_Maxime

Hi,

alternatively, you can use :
- local-in policies : http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-firewall-52/Concepts/Security%20Policies/Local-In%20Policies.htm?Highlight=local-in%20policies
- blackhole route + RFP in strict mode

------------------------------
Maxime [LastName] [Designation]
Security Engineer
[CompanyName]
[City] [State]
[Phone]
------------------------------
DRUMDUDESAN

Hi,
I guess I am not making myself clear.

I tracked down an external VPN subnet range. I want to block the entire subnet coming in or out of our Firewall. I have found that our users are installing VPN software locally which was making it very hard to track them as the software was Mac address spoofing their LAN connections internally.

So to prevent them I want to block the entire subnet range.

Hope that makes sense.

Jeff


------------------------------
Jeff [LastName] [Designation]
IT Team Lead
[CompanyName]
[City] [State]
[Phone]
------------------------------
odd

Isn't the security profiles block this? Eg APP CTRL? 
Look for the app or use block proxy. I think this will do the trick.

/odd

------------------------------
Odd [LastName] [Designation]
IT Security Specialist / Senior IT Consultant
[CompanyName]
[City] [State]
[Phone]
------------------------------
rmoussa

Hi,

If you you mean they are trying to negotiate IPSEC VPN with your fortigate, then it cannot be blocked using policies.
You need to use Local-in policies in CLI.

config firewall local-in policy

Regards
Rony

------------------------------
Rony Moussa
Fortinet NSE Certified: Level 8
------------------------------
Rony Moussa
Fortinet NSE Certified: Level 8
Rony MoussaFortinet NSE Certified: Level 8
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.