Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Umesh
New Contributor II

IP blocking in fortigate 1200D on particular policy

Dear All,

 

Can anyone tell us how many IP can we block on particular policy for instance -

 

Lets suppose we have created one policy on fortigate firewall and I want to block one by one ip so how many IP can we block and is there any limitation on firewall policy.

 

Actually the thing is that we have to block around 10000 IP on fortigate firewall.

 

Regards,

Umesh Prajapati

2 REPLIES 2
AlexC-FTNT
Staff
Staff

Hello Umesh,

Blocking IPs in a policy one by one is probably not the best approach to... anything that has more than 20-30IPs.

You can use DDoS, GeoIP to block by country, external resources to store these IPs as a file on an external server, or use trusted hosts for admin users managing the unit.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-External-threat-list-threat-feed-blocked-v...

The public IPs that are showing attacks are too many to block like this, and changing too often to be worth the effort of setting up such policy, and also an effort to maintain it trough the GUI.

 

However, there is no limit to the number of objects in the policy, but there is a limit of the total address objects in the FortiGate (version dependant):

https://docs.fortinet.com/max-value-table
(select your unit and firmware version, and search for firewall.address)


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
Toshi_Esumi
Esteemed Contributor II

Just keep it in mind that if you want to block access to your FGT, like VPNs, HTTPS, SSH, etc., you need to use local-in policy instead. Regular policies are for coming through traffic, from one interface to another interface.

 

Toshi