Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
wismail
New Contributor

BAN IP LIST

So I am seeing lots of scanning and trials to connect from different countries across the globe.

 

All has been denied by the explicit deny policy "0" on the Fortigate. however, after few searches I was recommended to create External IP threat feed and add it a deny rule to ban these IPs. 

 

So, I am seeing the same behavior but instead of being blocked by Policy"0" it is being blocked by the new deny policy. so I don't understand what the point is of doing that instead of letting the explicit deny policy "0" handle it. 

Your feedback is appreciated.

 

denypolicy.JPG

Wael Ismail
Wael Ismail
1 Solution
gfleming

You don't need to use the external IP threat feed. You use the IPS signature to detect when someone is port scanning or brute forcing or otherwise and the firewall will automatically quarantine that IP address and prevent it from making any more connections.

 

It's all documented here: https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/583477/configuring-an-ips-se...

 

Look at "rate-based" settings and "quarantine" options for the various signatures that apply to you.

Cheers,
Graham

View solution in original post

7 REPLIES 7
gfleming
Staff
Staff

To be honest I do not see the benefit, either. Unless you want to turn off logging on the Blacklisted policy to free up your logs from known stuff that you don't care to track?

 

Alternatively you can leverage IPS rules to automatically quarantine these IPs so they no longer are able to initiate connections—they will be blocked and no longer creating FW logs.

Cheers,
Graham
wismail

Thanks for confirming. however, creating an IPS custom signature is not an easy job. 

 

I wish that there was an option to create quarantine rule based on IP list and that's it. 

 

Wael Ismail
Wael Ismail
gfleming

There are predefined IPS signatures for this already. Port Scanning, Brute Force login attempts, etc. You just need to edit the action to quarantine and adjust the values before an IP gets quarantined..

Cheers,
Graham
wismail

Do you have a link to guide or Something. it is quite confusing, in the table of "PortScanning" the action says "Pass" and in the main Action "Block, Monitor, reset, Quarantine"
also how do I make use of these external IP threat Feed!?
 

Wael Ismail
Wael Ismail
gfleming

You don't need to use the external IP threat feed. You use the IPS signature to detect when someone is port scanning or brute forcing or otherwise and the firewall will automatically quarantine that IP address and prevent it from making any more connections.

 

It's all documented here: https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/583477/configuring-an-ips-se...

 

Look at "rate-based" settings and "quarantine" options for the various signatures that apply to you.

Cheers,
Graham
amouawad
Staff
Staff

The main benefit I see here is to do with the load on the FortiGate. If you don't have that deny rule at the top then the FGT will go through each firewall policy to look for a match before it denies it. If you have thousands of rules then that can put extra unnecessary load on the FGT.

 

By having the deny policy at the top it's the first check the FGT will do and block it before going through other policies.

wismail

That makes sense! but I have only 6 rules so I don't think it will hinder the performance.

Wael Ismail
Wael Ismail
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors