Description
This article explains how to block some of the specific public IP addresses to enter the internal network of the FortiGate to protect the internal network. This is specific to configurations that already have inbound firewall policies allowing traffic internally to specific subnets that can be routable externally or that have a VIP as a destination. By default, traffic from external is not allowed internally without a firewall policy configured to allow externally initiated sessions.
Scope
FortiGate.
Solution
Step1: Create an address object
Go to Policy & Objects -> Addresses
Click on 'create new' and 'Address'
Category: Address
Name: Provide any name
Type: Subnet
Subnet / IP Range : x.x.x.x/32 where x.x.x.x is the specific public IP it is required to block
x.x.x.x/24 where x.x.x.x is the subnet it is required to block and /24 is the subnet
Name: Provide any name
Type: Subnet
Subnet / IP Range : x.x.x.x/32 where x.x.x.x is the specific public IP it is required to block
x.x.x.x/24 where x.x.x.x is the subnet it is required to block and /24 is the subnet
Interface: Any
Click on 'OK' to apply the changes
Click on 'OK' to apply the changes
Step2: Create IPv4 Policy
Go to Policy & Objects -> IPv4 policy
Go to Policy & Objects -> IPv4 policy
Click on 'create new '
Name: Provide any name
Incoming interface: WAN interface
Outgoing interface: LAN interface
Source: Select the address object, created above.
Destination: set it to "all"
Schedule: Always
Services: All
Action: Deny
NAT: Enable
Security Profiles:
Enable IPS
Name: Provide any name
Incoming interface: WAN interface
Outgoing interface: LAN interface
Source: Select the address object, created above.
Destination: set it to "all"
Schedule: Always
Services: All
Action: Deny
NAT: Enable
Security Profiles:
Enable IPS
Click on 'OK' and place this policy to the top of the IPv4 policy list (by drag and drop) from the ID column.
Note: In latest firmware versions (above 7.0) the option for IPv4 policy is replaced with Firewall policy under Policy & Objects
