So I am seeing lots of scanning and trials to connect from different countries across the globe.
All has been denied by the explicit deny policy "0" on the Fortigate. however, after few searches I was recommended to create External IP threat feed and add it a deny rule to ban these IPs.
So, I am seeing the same behavior but instead of being blocked by Policy"0" it is being blocked by the new deny policy. so I don't understand what the point is of doing that instead of letting the explicit deny policy "0" handle it.
Your feedback is appreciated.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You don't need to use the external IP threat feed. You use the IPS signature to detect when someone is port scanning or brute forcing or otherwise and the firewall will automatically quarantine that IP address and prevent it from making any more connections.
It's all documented here: https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/583477/configuring-an-ips-se...
Look at "rate-based" settings and "quarantine" options for the various signatures that apply to you.
To be honest I do not see the benefit, either. Unless you want to turn off logging on the Blacklisted policy to free up your logs from known stuff that you don't care to track?
Alternatively you can leverage IPS rules to automatically quarantine these IPs so they no longer are able to initiate connections—they will be blocked and no longer creating FW logs.
Thanks for confirming. however, creating an IPS custom signature is not an easy job.
I wish that there was an option to create quarantine rule based on IP list and that's it.
There are predefined IPS signatures for this already. Port Scanning, Brute Force login attempts, etc. You just need to edit the action to quarantine and adjust the values before an IP gets quarantined..
Do you have a link to guide or Something. it is quite confusing, in the table of "PortScanning" the action says "Pass" and in the main Action "Block, Monitor, reset, Quarantine"
also how do I make use of these external IP threat Feed!?
You don't need to use the external IP threat feed. You use the IPS signature to detect when someone is port scanning or brute forcing or otherwise and the firewall will automatically quarantine that IP address and prevent it from making any more connections.
It's all documented here: https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/583477/configuring-an-ips-se...
Look at "rate-based" settings and "quarantine" options for the various signatures that apply to you.
The main benefit I see here is to do with the load on the FortiGate. If you don't have that deny rule at the top then the FGT will go through each firewall policy to look for a match before it denies it. If you have thousands of rules then that can put extra unnecessary load on the FGT.
By having the deny policy at the top it's the first check the FGT will do and block it before going through other policies.
That makes sense! but I have only 6 rules so I don't think it will hinder the performance.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.