Hi all,
I can find instructions to block certain IP's but is there a way to ONLY allow traffic in from any location in the UK, i.e so anything (and i mean anything) outside of the UK is blocked by default ?
Thanks
Ian
Solved! Go to Solution.
Hi, yes, you can.
config firewall policy
edit 3
set srcaddr-negate enable
end
That's very easy....one thing i can't figure out though (i'm assuming it's simple and i just can't think) is that how do i set a policy to allow only traffic from here ? obviously i can block traffic from other countries by creating an address with a country in and then selecting block but i don't want to have to manually add all countries so is there a way to set it to allow ONLY from this address ? Do i have to create a group and manually add all the available countries ?
Hi, yes, you can.
config firewall policy
edit 3
set srcaddr-negate enable
end
Also, remember that if you have VIPs this should also be included, set match-vip enable if u don't run 7.2.4 that has is by default when a deny rule is created.
OP's statements were not clear about what kind of traffic to be blocked. If you want to block like VPN attempts to your FGT itself, not passing through the FGT, you need to do this under "config firewall local-in-policy".
Toshi
Thanks all,
it's ALL traffic we want to block if that's possible without causing any issues. We don't deal with any location outside of the UK so would want all and everything not from the UK to be blocked so would this just be easier to put in a simple deny rule and then add all the countries available except the UK ?
As @Toshi_Esumi rightfully noted - you are not providing us enough of information to recommend something. The block is to be made in Security rules/Local-in Policy/Web filtering/whatever, i.e. it can only be done in context of your Fortigate configuration. "Block traffic non UK without issues" is not a technical requirement, it is a wish which we cannot translate without additional info.
These are the questions to start with.
Ok, so
1.I do want to block access to our internal resources which are accessible via any internet facing IP on the router
2.Yes, i'd like to block outbound to non-uk countries as well
3.As regards to specific ports...again this is a requirement (if possible) to block EVERYTHING as there's no location inbound or outbound that we need to access or give access to outside of the UK so it would be a complete block on anything in any direction on any port
4. Yes, i "assume" this would be the only policy so my goal is as you've said....block everything from non-uk and allow everything from uk
Apologies if I've mis-understood this as i thought it might be a simple case of putting a rule in to say if it's not from the uk then block (whether that's a rule with all the non-uk countires in....otherwise proceed down the firewall rules which it would then do normally ?
Thanks
HTH
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.