Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Created on ‎02-09-2010 08:01 AM

Block China etc. Traffic

Hey This is probably a stupid question but here goes... Does anyone know of an easy way to explicitly block all traffic originating from China? Actually, I would like to block traffic coming from every country in Asia... I am sick and tired of looking at all of the garbage traffic which comes from that area of the world. Now I have Chinese IP addresses trying to attack my Fortigate via the SSH admin constantly. Honestly - I think that all of Asia should be permenently disconnected from the internet... I guess that would be pretty extreme but I am seriously irritated, lol. I have a text file which contains all of the ip/netmask addressess for Asia. Is there any easy way to import them all into my Fortigate or do I have to manually enter every single one of them (which would be crazy)? Thanks!
3728
0 Kudos
6 REPLIES 6
Carl_Wallmark
Valued Contributor

Created on ‎02-09-2010 08:34 AM

Hi, I agree with you there, you have a couple of choices: 1. Create a script that will import them from a text file. 2. Upload a Bulk script from the GUI, but you will need to make a valid bulk config file and then it depends on what firmware you have. but first of all, check the matrix of maximum numbers of addresses, from docs.fortinet.com i dont think you will manage to upload every net from asia, unless you can combine all addresses to big subnets ;)

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
2722
0 Kudos
abelio
SuperUser
SuperUser

Created on ‎02-09-2010 09:32 AM

Honestly - I think that all of Asia should be permenently disconnected from the internet...
Maybe Fortinet' s CEO Ken Xie will be not happy with that idea

regards




/ Abel

regards / Abel
2722
0 Kudos
flppds
New Contributor

Created on ‎02-23-2010 07:36 AM

sorry for the basic question: you have already set up a list of authorized IP that can connect to your fortinet as admin? I have changed the default 0.0.0.0/0 with my LAN address and a few public IP address that I trust, and no other can connect via ssh or https to my fortinet...
2723
0 Kudos
Not applicable
In response to flppds

Created on ‎02-23-2010 01:29 PM

I just turned off all types of admin access on the WAN interface to deal with this. If I need to administer the device remotely I log into a server first. If it came to the point where I couldn' t get into the network remotely because the device was actually down then I' d have to physically go to the office anyways... I still would like to be able to block all types of traffic originating from Asia. I really don' t care what anyone thinks of me for that. I have read about some other UTM devices which have the capability built right into them to simply check off blocking regions of the world.
2723
0 Kudos
billp
Contributor

Created on ‎02-24-2010 09:39 AM

I know the Sidewinder can block entire countries/regions. They also maintain a blacklist of bad IPs. Fortinet doesn' t take this approach directly but you can approximate the same function by using an address group and scripts, as stated earlier. I' ve found notepad++ works well for editing the .conf file and to create a script from it. My guess is that Fortinet won' t offer the " block a country" approach directly on their product since they sell so much overseas.

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1
2722
0 Kudos
abelio
SuperUser
SuperUser
In response to billp

Created on ‎02-24-2010 12:04 PM

My guess is that Fortinet won' t offer the " block a country" approach directly on their product since they sell so much overseas.
I disagree with that; blocking country' s IPs could lead to a fake sensation of control or security; there' re a lot of zombies IPs out there and many owners of those machines are not aware of yet; if you detect that several IPs are allocated to ISPs, for example, belonging to my country, do you block every traffic originated in Argentina? Another point is that IP<->country records are not full updated and could lead to wrong blocks; several carriers or big ISPs with global presence allocate blocks following their own criteria. An example of that is <country>.blackholes.us lists as a tactic to fight spam. Finally, you can do what do you want with your firewall, blocking everything and allowing some few networks, is your call. regards,

regards




/ Abel

regards / Abel
2722
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.