FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how to react when unable to block IP addresses accessing the firewall after creating the firewall policy.
Solution
The policy created should be applied only to the pass-through traffic. It will not be applied to the traffic which is hitting the firewall (destined to the firewall directly).
To create a policy in the firewall to control the traffic which is destined directly to the firewall, configure 'local in policy' in the FortiGate firewall to block the traffic for the WAN interface.
# config firewall local-in-policy edit <policy_number> set intf <interface> set srcaddr <source_address> [source_address of the blocked IP] set dstaddr <destination_address> [destination_address] set action {accept | deny} set service <service_name> [name of the specific service] set schedule <schedule_name> next end
