- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Blocked networks do not work
hi, a few weeks ago I started to receive attacks on all my servers nated by fortinet, I tried to block the attacking ip or networks but it does not work, the ip continue to attack and the fortinet does not work.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You likely want to use local-in-policy if you do not want unwanted traffic hitting (or passing) your fgt's WAN(s) ports.
Here is an example:
config firewall address edit "China-Country" set type geography set associated-interface "wan1" set country "CN" next end config firewall addrgrp edit "block-ingress-group" set member "China-Country" end config firewall local-in-policy edit 1 set intf "wan1" set srcaddr "block-ingress-group" set dstaddr "all" set service "ALL" set schedule "always" next end
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You likely want to use local-in-policy if you do not want unwanted traffic hitting (or passing) your fgt's WAN(s) ports.
Here is an example:
config firewall address edit "China-Country" set type geography set associated-interface "wan1" set country "CN" next end config firewall addrgrp edit "block-ingress-group" set member "China-Country" end config firewall local-in-policy edit 1 set intf "wan1" set srcaddr "block-ingress-group" set dstaddr "all" set service "ALL" set schedule "always" next end
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This configuration can be done via the web or it is only by console
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/363127/local-in-policies
As in the doc, local-in-policy is via CLI only.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
CLI only - The link in my post is for 6.0. Toshi posted the link for 6.2. Edit: but both give more-or-less the same info.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you're wondering why your original policy didn't block traffic it is because for any WAN to LAN policies where NAT is involved the destination MUST be either a VIP (i.e. must match the VIPs used in the Allow rule's destination that are below this Deny rule), or if you want to keep the destination as "all" you must specify "set match-vip enable" in the deny policy via command line.
https://kb.fortinet.com/kb/documentLink.do?externalID=FD33338
Using Local-In-Policies is a valid way to block too as mentioned above, but this is how you can get your original policy working if you prefer.
Russ
NSE7
