FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article describes the procedure to block the suspicious application traffic to Internal web server.
Solution If VIP has been cretaed for accessing the internal server.
To block the Proxy/Third party VPN applications/Phishing/Malicious related traffic to reaching the firewall,it is possible to block the traffic matching the above mentioned Categories by mapping ISDB to the IPV4 Policy.
Refer to the policy configuration performed:
# config firewall policy edit 1 set status enable set name "TEST Block Rule" set uuid 98f63964-a135-51eb-9181-811ac88df443 set srcintf "port1" <----- WAN. set dstintf "port3" <----- LAN. set dstaddr "botnet" <----- VIP Object Configured. set internet-service disable set internet-service-src enable set internet-service-src-name "Proxy-Proxy.Server" "VPN-Anonymizing.VPN.Server" "Botnet-C&C.Server" "Malicious-Malicious.Server" "Phishing-Phishing.Server" unset reputation-minimum set rtp-nat disable set action deny set schedule "always" set schedule-timeout disable set service "HTTP" "HTTPS" set tos-mask 0x00 set anti-replay enable set logtraffic disable set logtraffic-start disable set session-ttl 0 set vlan-cos-fwd 255 set vlan-cos-rev 255 set wccp disable set natip 0.0.0.0 0.0.0.0 set tcp-mss-sender 0 set tcp-mss-receiver 0 set comments '' set block-notification disable set replacemsg-override-group '' set dstaddr-negate disable set service-negate disable set internet-service-src-negate disable set captive-portal-exempt disable set dsri disable set radius-mac-auth-bypass disable set delay-tcp-npu-session disable unset vlan-filter set send-deny-packet disable set match-vip disable next end
NOTE. If the suspicious IP address is part of our ISDB then it is possible to block it. Check the same by executing:
# diag internet-service match root <ip address> <subnet mask> # config firewall internet-service <internet service> # get
For example: Suspicious IP is 103.28.121.58 and it would get blocked as it is part of ISDB.
# diag internet-service match root 103.28.121.58 255.255.255.255
Internet Service: 3014850 (Proxy-Proxy.Server), matched in: 2
# config firewall internet-service 3014850 # get id : 3014850 name : Proxy-Proxy.Server reputation : 2 icon-id : 594 sld-id : 1 direction : both database : irdb ip-range-number : 20622 extra-ip-range-number: 0 ip-number : 22289 singularity : 85 obsolete : 0
