Technical Tip: Configuring FortiGate policy to block traffic for one or more IP addresses

Jean-Philippe_P · ‎09-20-2006

Description

This article describes how to block an IP address.

Scope

FortiGate.

Solution

To block an IP address, create an address entry and create a firewall policy to block the address.

Create an Address Object.

Go to Policy & Objects -> Addresses.
Select Create New.
Enter a name for the address.
Enter the IP address and subnet.

Note that if blocking an internal IP address, set the netmask to 255.255.255.255, or /32. Otherwise, it could block the entire subnet.

CLI commands:

config firewall address
edit "Block-IP"

set subnet 172.16.1.30 255.255.255.255

next
end

Create a Firewall Policy.

Go to Policy & Objects -> Firewall Policy.
Select Create new.
Configure the firewall policy as required. For the Source and/or Destination address, select the address name added above.
Set the Action to Deny.
Move the firewall policy to the top of the policy list.

Creating Firewall policy from CLI use below commands:

config firewall policy
edit 4
set name "Block-suspicious"
set uuid 0b8cc866-be3d-51f0-a5e7-b794776370ae
    set srcintf "port1" <----- Source interface.
    set dstintf "port2" <----- Destination interface.
    set srcaddr "Block-IP" <----- Source address.
    set dstaddr "all" <----- Destination interface.
    set schedule "always" <----- Active all the time.
    set service "ALL" <----- Services.

set action deny <----- Action to deny logs.
set logtraffic disable
next
end

Note:

FortiGate checks firewall policies in order, starting from the top of the list. As soon as it finds a match for the traffic, it uses that policy and stops looking further. Therefore, it is recommended that the blocking policy be placed above any existing allow policy that matches the same traffic.

Technical Tip: Configuring FortiGate policy to block traffic for one or more IP addresses

You are leaving our website