Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Block Attacks Automatically After several Attemps

I have a FortiGate 60B running firmware version 3.00-b0744(MR7 Patch 6). I would like to know if there' s way to block an IP Address automatically after the firewall blocks a number of hack attemps into my server automatically? Basically just like if you try to log into your firewall and you failed 3 times it temporary blocks that IP address. I would like to do the samething with hack attemps to my server that my firewall detected and blocked. Please let me know if there' s a way to do this. Thanks
8 REPLIES 8
discoveryit
New Contributor

Upgrade to 4.0 and you can quarantine ip' s for a time period.
FCNSP
FCNSP

Thank you discoveryit. Could you also kindly tell me where I would find information on quarantine the IP' s so that I can see how to configure this when I upgrade to Version 4 please.
Carl_Wallmark
Valued Contributor

You will find it under: UTM -> Intrusion Prevention -> " Your IPS Sensor"

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C

ok, we have a 50 B and a lot of DoS Attacks,... how can i change the bolck Time? i like block the IP-Adreaa over 5 min? how can i do this???
Carl_Wallmark
Valued Contributor

if you have 4.00 firmware you can quarantine (block) the attacker for xxx minutes, or for forever =) to block DoS-attacks you will have to use the CLI config firewall interface-policy what firmware do you have ?

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
billp
Contributor

Thanks. I was also interested in this :) Any way to detect multiple Remote Desktop attempts? Did not see any IPS sensor to detect that? Bill

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1
Carl_Wallmark
Valued Contributor

Do you mean to detect RDP attempts on port 3389 ? IPS is designed to detect intrusions, and a connection attempt is not an intrusion, however, you could create your own IPS signature to detect anything on port 3389, then you would have a RDP signature =)

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
billp
Contributor

Thanks. Understood. I wanted to detect and/or prevent bruteforce RDP login attempts on the port. Didn' t see a way of specifying how many login attempts per time period would be considered an intrusion. I' ll see if I can figure a better way to implement this by securing the port better.

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors