Description |
This article describes how to block a specific host permanently after an attack traffic is detected by the DDoS protection policy. |
Scope | FortiGate. |
Solution |
In this scenario, FortiGate has a DDoS policy configured to block the DOS attack traffic with a specific threshold and it is necessary want to block IP which indicates as an attack source.
Example: 1) Check the IP address of the host that triggered the anomaly.
# diag ips anomaly list list nids meter: id=tcp_port_scan ip=10.129.2.76 dos_id=1 exp=2793 pps=13 freq=337 id=udp_scan ip=10.129.2.76 dos_id=1 exp=2570 pps=0 freq=10
2) Configure the persistence option to keep banned IP across a power cycle.
# config firewall global set banned-ip-persistency permanent-only end
3) To add the host IP to the permanent banned-IP list.
# diagnose user banned-ip add src4 10.129.2.76 0 ips # diagnose user banned-ip list src-ip-addr created expires cause 10.129.2.76 Mon Apr 17 07:42:45 2023 indefinite IPS |