BAN IP LIST

wismail · ‎04-05-2023

So I am seeing lots of scanning and trials to connect from different countries across the globe.

All has been denied by the explicit deny policy "0" on the Fortigate. however, after few searches I was recommended to create External IP threat feed and add it a deny rule to ban these IPs.

So, I am seeing the same behavior but instead of being blocked by Policy"0" it is being blocked by the new deny policy. so I don't understand what the point is of doing that instead of letting the explicit deny policy "0" handle it.

Your feedback is appreciated.

Wael Ismail

gfleming · ‎04-06-2023

You don't need to use the external IP threat feed. You use the IPS signature to detect when someone is port scanning or brute forcing or otherwise and the firewall will automatically quarantine that IP address and prevent it from making any more connections.

It's all documented here: https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/583477/configuring-an-ips-se...

Look at "rate-based" settings and "quarantine" options for the various signatures that apply to you.

Cheers,
Graham

View solution in original post

gfleming · ‎04-05-2023

To be honest I do not see the benefit, either. Unless you want to turn off logging on the Blacklisted policy to free up your logs from known stuff that you don't care to track?

Alternatively you can leverage IPS rules to automatically quarantine these IPs so they no longer are able to initiate connections—they will be blocked and no longer creating FW logs.

Cheers,
Graham

wismail · ‎04-05-2023

Thanks for confirming. however, creating an IPS custom signature is not an easy job.

I wish that there was an option to create quarantine rule based on IP list and that's it.

Wael Ismail

gfleming · ‎04-05-2023

There are predefined IPS signatures for this already. Port Scanning, Brute Force login attempts, etc. You just need to edit the action to quarantine and adjust the values before an IP gets quarantined..

Cheers,
Graham

wismail · ‎04-05-2023

Do you have a link to guide or Something. it is quite confusing, in the table of "PortScanning" the action says "Pass" and in the main Action "Block, Monitor, reset, Quarantine"
also how do I make use of these external IP threat Feed!?

Wael Ismail

gfleming · ‎04-06-2023

You don't need to use the external IP threat feed. You use the IPS signature to detect when someone is port scanning or brute forcing or otherwise and the firewall will automatically quarantine that IP address and prevent it from making any more connections.

It's all documented here: https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/583477/configuring-an-ips-se...

Look at "rate-based" settings and "quarantine" options for the various signatures that apply to you.

Cheers,
Graham

amouawad · ‎04-05-2023

The main benefit I see here is to do with the load on the FortiGate. If you don't have that deny rule at the top then the FGT will go through each firewall policy to look for a match before it denies it. If you have thousands of rules then that can put extra unnecessary load on the FGT.

By having the deny policy at the top it's the first check the FGT will do and block it before going through other policies.

wismail · ‎04-05-2023

That makes sense! but I have only 6 rules so I don't think it will hinder the performance.

Wael Ismail