Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Umesh
New Contributor II

how to block malicous ip || 5000 IPs ||

Dear All,

 

How to block malicious IPs using the external threat option.

 

Here I am new I don't know to create an external server for those IPs. If anyone has an Idea please let me know.

 

As It is not possible to block 5000 IPs in a single or multiple policies for me.

 

Regards,

Umesh

4 REPLIES 4
Yurisk
Valued Contributor

Creating 5000 address objects is not a good idea Fortigate performance-wise. As you correctly noticed, you have external feeds for that, but to use this feature you have to have some external server (managed by you or by threat list provider) that will host this IP list in a text format downloadable by the Fortigate via HTTP. You cannot manually import list of IPs to the Fortigate as is.

 

I wrote short post with screenshots on how to do so, you may find helpful: https://yurisk.info/2020/08/08/fortigate-using-external-threat-feeds-and-ip-domain-block-lists/ 

Yuri
https://yurisk.info/ blog: All things Fortinet, no ads.


All opinions are mine only.
Umesh
New Contributor II

Hi Yuri,

 

I wanted to know how creat it on servers, Actually I don't have any Idea could you please guide me

 

Thank you

Yurisk
Valued Contributor

In general terms:

 

  1. You install/set up HTTP server (say Apache/Nginx) on local network, and make it serve your IPs to block list via an URL, say http://10.10.10.11/blocklist.txt. Any HTTP-accessible storage will do, e.g. I have a client that combines few such feeds into 1 file stored on AWS S3 bucket, then Fortigate downloads this list from there, no need of a web local server.
  2. You create a text file e.g. blocklist.txt where you put all the IPs you want to block, in the following format:

 

# last updated 1595753401 (Sun Jul 26 08:50:01 2020 GMT)
0.0.0.0/8
5.44.248.0/21
5.57.208.0/21
5.172.176.0/21

 

 

3. You create External Threat Feed in the fortigate that you point to the URL http://10.10.10.11/blocklist.txt , then use it in the rules. 

Yuri
https://yurisk.info/ blog: All things Fortinet, no ads.


All opinions are mine only.
Umesh
New Contributor II

I have found below youtube from where I have seen how to do it-

https://www.youtube.com/watch?v=iudWn16Dxus