Created on
08-26-2025
01:06 AM
Edited on
08-28-2025
11:29 PM
By
Jean-Philippe_P
Description |
This article describes the traffic handled by FortiGate when a Ban IP is added. |
Scope | FortiGate. |
Solution |
The IP ban feature enforces access control by blacklisting specified source IP addresses, thereby dropping all associated traffic at the firewall.
Upon banning an IP address, the system forcibly terminates all active sessions associated with that source, ensuring the immediate termination of ongoing connections.
Even after banning the IP, SSH/HTTPS/PING to FortiGate’s interface still works. It is because IP ban evaluation is performed only when traffic matches a firewall policy configured with an ACCEPT action.
If the source address is on the ban list, the effective action is overridden to DENY. It applies only to the traffic meant for passthrough.
In the example below, 10.32.22.43 is added to the Ban IP by Admin.
kaon-kvm42 # diagnose user banned-ip list
Debug Sample of traffic blocked due to the Ban IP:
kaon-kvm42 # id=65308 trace_id=16 func=print_pkt_detail line=6194 msg="vd-root:0 received a packet(proto=6, 10.32.22.43:15498->10.5.141.231:4433) tun_id=0.0.0.0 from port1. flag [S], seq 3414889184, ack 0, win 64240"
Debug sample of PING to FortiGate's interface with the same Ban IP:
kaon-kvm42 # id=65308 trace_id=26 func=print_pkt_detail line=6194 msg="vd-root:0 received a packet(proto=1, 10.32.22.43:1->10.5.141.231:2048) tun_id=0.0.0.0 from port1. type=8, code=0, id=1, seq=16."
The above debug shows reply packets from the FortiGate for ICMP. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.