Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mannemramesh
New Contributor

Block all traffic in or out from China

Hi Friends,

 

I am new to this forum, I have created a policy to block the traffic from China(& one of my remote location's IP) as attached pic.

And I have moved the policy to top in the sequence.

 

 

 

I have tested from my remote location, I am able access the firewall public IP and also I am able access the VPN.

So this policy is not working.

 

Can anyone help me to write correct policy to block traffic from a particular sub-net or country.

 

Thanks

Ramesh

1 Solution
Nils
Contributor II

Your policy is saying that you are not allowed to access your internal interface subnets from China.

When you access your firewall you access the WAN interface, not the internal.

If you want to limit access to login to your firewall you'll do that in the Administrator "trusted hosts".

 

To limit access to SSLVPN you have to create a rule "From WAN to ssl.root" and the source must be the China Networks and then deny.

View solution in original post

3 REPLIES 3
Nils
Contributor II

Your policy is saying that you are not allowed to access your internal interface subnets from China.

When you access your firewall you access the WAN interface, not the internal.

If you want to limit access to login to your firewall you'll do that in the Administrator "trusted hosts".

 

To limit access to SSLVPN you have to create a rule "From WAN to ssl.root" and the source must be the China Networks and then deny.

mannemramesh

Hi Nilson,

 

Thanks for your response. 

its worked.

 

Thanks

Ramesh

ede_pfau

In "Trusted Hosts", you can only specify a white list - hosts or subnets which you allow to access the management. If you want to set up a blacklist - addresses which you want to block - then you create a 'local-in' policy. Depending on the version of FortiOS, local-in policies are defined in the CLI only, or in the GUI.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors