Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Umesh
Contributor

how to block bulk public ips in fortigate

Dear All,

 

Greetings,

 

Just I want to know in FortiGate is there any feasible solution If I want to block bulk public IPs.

For example - 1.1.1.1/32

 

Note - I have to block around 2500 public IPs in our organization at the FortiGate firewall..

 

So please anyone can make me understand to block these IPs.

 

Please also share a Road map to block these IPs if you know.

 

Thank you

 

1 Solution
Yurisk
Valued Contributor

Yes, you have to host the block list on HTTP server in your network if it is a custom block list, not one bought from 3rd party provider. Then you create External Fabric connector with URL of this server for Fortigate to download the feed. 

See screenshot attachfortinet.forum-external-feed.pnged. For more details you can also see my post here: Using external threat feeds in FortiGate has become much easier with 6.0 and 6.2 versions 

 

HTH

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.

View solution in original post

Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
7 REPLIES 7
seshuganesh
Staff
Staff

Hi Team,

 

The best way is to use threat feeds.

Please follow this article for the same:

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/9463/threat-feeds
You can use this article for the same.

You require webserver where you need to host one text file with all those ip address.

Umesh

Hi dear,

 

Is there any external servers we need to create or something else we have to do for it.

Yurisk
Valued Contributor

Yes, you have to host the block list on HTTP server in your network if it is a custom block list, not one bought from 3rd party provider. Then you create External Fabric connector with URL of this server for Fortigate to download the feed. 

See screenshot attachfortinet.forum-external-feed.pnged. For more details you can also see my post here: Using external threat feeds in FortiGate has become much easier with 6.0 and 6.2 versions 

 

HTH

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
vdralio
Staff
Staff

Dear Umesh,

 

You can use a Webserver, internal network, or external network, that FortiGate can reach and retrieve the list of IP addresses you have added.

Like in the article below:

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/891236/external-block-list-threat-feed-p...

 

config system external-resource
   edit "test-external-iplist-1"
      set status enable
      set type address
      set username ''
      set password ENC 
      set comments ''
      set resource "http://10.6.30.55/ip_list_test/test-external-iplist-2.txt" <---
      set refresh-rate 15
   next
end

 

 So you can put on the webserver the file that can be reached from HTTP.

 

Best Regards,

Vasil 

malam
Staff
Staff

Hi,

One way to block access to your fortigate from the public IPs is to configure a local-in-policy.

 

For example:

configure address object

config firewall address
edit public_IP_to_block
set subnet 1.1.1.0 255.255.255.0
next
end

 

If you have multiple subnets to block, You can configure more address-object and make an Address-object group

config firewall local-in-policy

edit 1

set intf wan1
set srcaddr "public_IP_to_block" <--- Address-object or address-object-groupe
set dstaddr All <--- it can be all or you can define any address group ( like for block access to WAN1, configure an address-object for that WAN IP)
set action deny
set service All
set schedule "always"

end

 

Mahboob Alam
Umesh
Contributor

Hi Mahboob,

I have around 5000 IPs which has to be blocked in the Fortinet firewall, you know is it possible to block them one by one, as I know it is very tough work for me. do you have any feasible solution ???

for it.

malam

Ho Umesh, 

You can configure as many as address-object (even with different types) and make a address-group of all these address-object and set this addr as srcaddr in local-in-policy
And if in future you need to add any new address-object, just create and add it into address-group.

Below is an Example for your refrence


config firewall address
edit "1"
set type iprange
set start-ip 10.10.10.0
set end-ip 10.10.10.200
next
edit "2"
set type geography
set country "AU"
next
edit "3"
set subnet 172.16.0.0 255.255.0.0
next
end

 

config firewall addrgrp
edit "block_groupe"
set member "1" "2" "3"
next
end

 

config firewall local-in-policy
edit 1
set intf "wan1"
set srcaddr "block_groupe"
set dstaddr "all"
set schedule "always"
next
end

 

 

Mahboob Alam
Labels
Top Kudoed Authors