Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JuanPabloPWR
New Contributor

Blocked networks do not work

hi, a few weeks ago I started to receive attacks on all my servers nated by fortinet, I tried to block the attacking ip or networks but it does not work, the ip continue to attack and the fortinet does not work.

 

 

1 Solution
Dave_Hall
Honored Contributor

You likely want to use local-in-policy if you do not want unwanted traffic hitting (or passing) your fgt's WAN(s) ports. 

 

 Here is an example:

 

config firewall address     edit "China-Country"         set type geography         set associated-interface "wan1"         set country "CN"     next end config firewall addrgrp     edit "block-ingress-group"         set member "China-Country" end config firewall local-in-policy     edit 1         set intf "wan1"         set srcaddr "block-ingress-group"         set dstaddr "all"         set service "ALL"         set schedule "always"     next end

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

View solution in original post

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
5 REPLIES 5
Dave_Hall
Honored Contributor

You likely want to use local-in-policy if you do not want unwanted traffic hitting (or passing) your fgt's WAN(s) ports. 

 

 Here is an example:

 

config firewall address     edit "China-Country"         set type geography         set associated-interface "wan1"         set country "CN"     next end config firewall addrgrp     edit "block-ingress-group"         set member "China-Country" end config firewall local-in-policy     edit 1         set intf "wan1"         set srcaddr "block-ingress-group"         set dstaddr "all"         set service "ALL"         set schedule "always"     next end

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
JuanPabloPWR

This configuration can be done via the web or it is only by console

Toshi_Esumi

Dave_Hall

CLI only - The link in my post is for 6.0.  Toshi posted the link for 6.2.  Edit: but both give more-or-less the same info.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
TecnetRuss

If you're wondering why your original policy didn't block traffic it is because for any WAN to LAN policies where NAT is involved the destination MUST be either a VIP (i.e. must match the VIPs used in the Allow rule's destination that are below this Deny rule), or if you want to keep the destination as "all" you must specify "set match-vip enable" in the deny policy via command line.

 

https://kb.fortinet.com/kb/documentLink.do?externalID=FD33338

 

Using Local-In-Policies is a valid way to block too as mentioned above, but this is how you can get your original policy working if you prefer.

 

Russ

NSE7

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors