FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gakshay
Staff
Staff
Description
This article describes the procedure to block the suspicious application traffic to Internal web server.

Solution
If VIP has been cretaed for accessing the internal server.

To block the Proxy/Third party VPN applications/Phishing/Malicious related traffic to reaching the firewall,it is possible to block the traffic matching the above mentioned Categories by mapping ISDB to the IPV4 Policy.

Refer to the policy configuration performed:
# config firewall policy
    edit 1
        set status enable
        set name "TEST Block Rule"
        set uuid 98f63964-a135-51eb-9181-811ac88df443
        set srcintf "port1"      <----- WAN.
        set dstintf "port3"      <----- LAN.
        set dstaddr "botnet"     <----- VIP Object Configured.
        set internet-service disable
        set internet-service-src enable
        set internet-service-src-name "Proxy-Proxy.Server" "VPN-Anonymizing.VPN.Server" "Botnet-C&C.Server" "Malicious-Malicious.Server" "Phishing-Phishing.Server"
        unset reputation-minimum
        set rtp-nat disable
        set action deny
        set schedule "always"
        set schedule-timeout disable
        set service "HTTP" "HTTPS"
        set tos-mask 0x00
        set anti-replay enable
        set logtraffic disable
        set logtraffic-start disable
        set session-ttl 0
        set vlan-cos-fwd 255
        set vlan-cos-rev 255
        set wccp disable
        set natip 0.0.0.0 0.0.0.0
        set tcp-mss-sender 0
        set tcp-mss-receiver 0
        set comments ''
        set block-notification disable
        set replacemsg-override-group ''
        set dstaddr-negate disable
        set service-negate disable
        set internet-service-src-negate disable
        set captive-portal-exempt disable
        set dsri disable
        set radius-mac-auth-bypass disable
        set delay-tcp-npu-session disable
        unset vlan-filter
        set send-deny-packet disable
        set match-vip disable
    next
end
NOTE.
If the suspicious IP address is part of our ISDB then it is possible to block it.
Check the same by executing:
# diag internet-service match root <ip address> <subnet mask>
# config firewall internet-service <internet service>
# get
For example:
Suspicious IP is 103.28.121.58 and it would get blocked as it is part of ISDB.
# diag internet-service match root 103.28.121.58 255.255.255.255
Internet Service: 3014850 (Proxy-Proxy.Server), matched in: 2
# config firewall internet-service 3014850
# get

id : 3014850
name : Proxy-Proxy.Server
reputation : 2
icon-id : 594
sld-id : 1
direction : both
database : irdb
ip-range-number : 20622
extra-ip-range-number: 0
ip-number : 22289
singularity : 85
obsolete : 0                       

Contributors