Description
This article describes the procedure to block the suspicious application traffic to the internal web server.
Scope
FortiGate.
Solution
If VIP has been created for accessing the internal server.
To block the Proxy/Third party VPN applications/Phishing/Malicious related traffic to reaching the firewall,it is possible to block the traffic matching the above mentioned Categories by mapping ISDB to the IPV4 Policy.
Refer to the policy configuration performed:
From CLI:
config firewall policy
edit 1
set status enable
set name "in-bound_malicious"
set uuid 98f63964-a135-51eb-9181-811ac88df443
set srcintf "virtual-wan-link" <----- WAN/SDWAN
set dstintf "port2" <----- LAN.
set dstaddr "botnet" <----- VIP Object Configured.
set internet-service disable
set internet-service-src enable
set internet-service-src-name "Botnet-C&C.Server" "Phishing-Phishing.Server" "Proxy-Proxy.Server" "Spam-Spamming.Server" "Tor-Relay.Node" "Tor-Exit.Node" "Malicious-Malicious.Server"
unset reputation-minimum
set rtp-nat disable
set action deny
set schedule "always"
set schedule-timeout disable
set service "HTTP" "HTTPS"
set tos-mask 0x00
set anti-replay enable
set logtraffic disable
set logtraffic-start disable
set session-ttl 0
set vlan-cos-fwd 255
set vlan-cos-rev 255
set wccp disable
set natip 0.0.0.0 0.0.0.0
set tcp-mss-sender 0
set tcp-mss-receiver 0
set comments ''
set block-notification disable
set replacemsg-override-group ''
set dstaddr-negate disable
set service-negate disable
set internet-service-src-negate disable
set captive-portal-exempt disable
set dsri disable
set radius-mac-auth-bypass disable
set delay-tcp-npu-session disable
unset vlan-filter
set send-deny-packet disable
set match-vip disable
next
end
From GUI:
Path: Policy & objects -> firewall policy and select 'Create new '.
NOTE.
If the suspicious IP address is part of our ISDB then it is possible to block it.
Check the same by executing:
diag internet-service match root <ip address> <subnet mask>
config firewall internet-service <internet service>
get
For example:
The suspicious IP is 103.28.121.58 and it would get blocked as it is part of ISDB.
diag internet-service match root 103.28.121.58 255.255.255.255
Internet Service: 3014850 (Proxy-Proxy.Server), matched in: 2
# config firewall internet-service 3014850
# get
id : 3014850
name : Proxy-Proxy.Server
reputation : 2
icon-id : 594
sld-id : 1
direction : both
database : irdb
ip-range-number : 20622
extra-ip-range-number: 0
ip-number : 22289
singularity : 85
obsolete : 0
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.