Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
philv
New Contributor

Block external IP addresses

Dear Techies, I'm new to Fortigate and new to the forum. Anyway, I have a problem configuring policies for blocking unwanted access from some external/malicious IP addresses. Here's what I did. == GBSP-FW1 # sh firewall policy 103 config firewall policy     edit 103         set name "WAN to LAN"         set uuid 76f191b8-5c56-51e9-9c22-4672edcc21a6         set srcintf "wan1_outside-interface" "wan2_outside-interface"         set dstintf "port1_inside-interface"         set srcaddr "GROUP-Block-Countries"         set dstaddr "all"         set schedule "always"         set service "ALL"         set logtraffic all         set fsso disable     next end Action is set to "DENY" (through the GUI) Log Violation Traffic - enabled Enable this policy - enabled == With in the "GROUP-Block-Countries" group. config firewall address     edit "BC - China"         set uuid cd09f5ba-5c54-51e9-a7ac-48d279294f0c         set type geography         set color 25         set country "CN"     next     edit "BC - Russia"         set uuid f5fb6106-5c55-51e9-2946-f2aba7123c50         set type geography         set color 25         set country "RU"     next     edit "BC - South Korea"         set uuid 6a6eb5b4-5c57-51e9-3125-870fd87fe86a         set type geography         set color 25         set country "KR"     next     edit "BC - Ecuador"         set uuid 9d6540b4-5c61-51e9-0b4a-1148a4f24cdb         set type geography         set color 25         set country "EC"     next     edit "BC - United Kingdom - 81.94.192.0/20"         set uuid 366a8746-5c63-51e9-72f7-2d7cee735d2f         set color 25         set subnet 81.94.192.0 255.255.240.0     next     edit "BC - United States - 70.224.0.0/17"         set uuid f47650fc-5c64-51e9-5bec-3ce96a95b35c         set color 25         set subnet 70.224.0.0 255.255.128.0     next     edit "BC - United States - 137.139.0.0/16"         set uuid b4eb494e-5c67-51e9-42ac-36d9851b84e2         set color 25         set subnet 137.139.0.0 255.255.0.0     next     edit "BC - United States - 21.0.0.0/8"         set uuid b4f7fd92-5c67-51e9-94eb-798bb2186b0d         set color 25         set subnet 21.0.0.0 255.0.0.0     next end ==   I have put the policy at the very top of the list. However, when I try accessing FortiGate from a blocked IP address (from home), I can still can ping, and get through and no traffic were recorded to the policy log. Am I missing any steps or is there any other way?  Any help would be appreciated. Thank you guys.   Fortigate 100E v6.0.3 build0200 (GA)  
14 REPLIES 14
philv
New Contributor

I finally see Local In Policy I see the following: Administrative access Authentication and more...   However, I don't see where I can edit the local-in policy, as you mentioned.

Remember, I'm new to Fortinet firewalls. What is the next step? Do I use CLI commands? And if so, can someone display how to use Local In policy to block external IP address using Block_Countries_In address group?

 

Thanks
ede_pfau

config firewall local-in-policy
    edit 3
        set intf "wan1"
        set srcaddr "Kabelnetz"
        set dstaddr "all"
        set service "ALL"
        set schedule "always"
    next
    edit 1
        set intf "wan1"
        set srcaddr "VPN_origin_countries"
        set dstaddr "all"
        set action accept
        set service "IKE"
        set schedule "always"
    next
    edit 2
        set intf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set service "IKE"
        set schedule "always"
    next
end

Here is an example of local-in DENY policies.

1) I deny all connections from "Kabelnetz" which is 37.0.0.0/8.

2) I allow IPsec traffic from _some_ countries, and

3) block it from all other countries.

 

Whitelisting was easier in my case.

Contrary to regular policies, you cannot negate addresses in local-in policies.

Use "set comment" to your liking.

 

You will have to use CLI to define your own local-in policies, and they don't show up in the GUI. (Another feature request...)

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
philv
New Contributor

I've entered the following:

FORTINET1 # sh firewall local-in-policy     config firewall local-in-policy     edit 1         set intf "wan1"         set srcaddr "VPN_Allow_Countries"         set dstaddr "all"         set action accept         set service "IKE"         set schedule "always"     next     edit 2         set intf "wan1"         set srcaddr "all"         set dstaddr "all"         set service "IKE"         set schedule "always"     next     edit 3         set intf "wan1"         set srcaddr "Block_Countries_In"         set dstaddr "all"         set service "ALL"         set schedule "always"     next end FORTINET1 # FORTINET1 #

It seems to be working so far.

 

Is there a way, to view this in the "Log & Reports"?

 

Thanks

 

 

 

TheAnalogKid
New Contributor

Well, boys, I'm up a creek. I've pored over this thread and it's not working.

 

I've created GEO and IP range groups to block traffic hitting my WAN from CN and Soviet Russia. I've copied and pasted, setting srcint to WAN and dstint to LAN. I set srcaddr to "Block_Countries_In" and several other addresses I created and dstaddr to all.

I put in all the commands suggested by seadave (although I am running 5.2, so it did not take "internet-service disable" or "learning-mode disable").

 

I put in "set match-vip enable" as TecnetRuss suggested, because "destination = any won't work unless you use the "set match-vip enable" setting as shown in SeaDave's config," as he said.

 

I enabled the policy and put it at #1.

 

 

And despite it all, I still get this.

 

 

Some asswipe in China is still trying to get in. My firewall policy, alas, is a miserable failure. He is probably laughing at me.

 

Why can't I manage to block 1 measly IP address? It's clearly stated in my firewall policy, right there, at #1. Will anyone spare me this shame and embarassment?

ede_pfau

Traffic to the FGT itself is controlled by 'Local In' policies, not the regular firewall policies.

Show us what you've configured, from CLI (as text), i.e. "config firewall local-in-policy".

 

Second, do you use VIPs on your WAN interface at all?

 

BTW, you could edit your last post and upload a picture...my mouse gets lame from scrolling...

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors