Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
GTNman
New Contributor

Blocking IP address / domain ?

How do I go about blocking all traffic to the domain doubleclick.net ? I need to block the traffic being sent to ns1.doubleclick.net through ns4.doubleclick.net. Thanks.
5 REPLIES 5
UkWizard
New Contributor

This is done via the ' protection profile' feature, under the Firewall Menu. Change your outbound rule to use a protection profile (create one first if required). Create/Modify protection profile to enable the " URL block" under the " web filtering" sub option. Add the domains which you want to block in the WEB FILTER -> URL BLOCK menu. If you add " doubleclick.net" in there it will block the entire doubleclick domain. If you want to allow access to other parts, then add four entries for the ones you mentioned (ie ns1.doubleclick.net ..... etc) They will then be blocked for http. HOWEVER, to block all traffic, you would have to work out all the IP addresses for each of those and add a deny rule to specifically block them. If you do this, make sure the rule is at the top of RULEBASE POLICY.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
GTNman
New Contributor

Thanks. I was hoping there may have been a quicker way than defining every IP address in a policy. Will give it a shot.
UkWizard
New Contributor

There might be, if you do some lookups for the domains, you may be able to get there ip address range, and thus do one rule for there entire IP subnet.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
GTNman
New Contributor

Well, I had to manually enter all 4 of their IP' s. I could not do a subnet mask range because the IPs 3rd Octet was different on all of them. Everytime I tried to do a mask if would say it was an invalid range.
UkWizard
New Contributor

The entire doubleclick.net subnet is 216.73.80.0/255.255.240.0 using this would block the entire doubleclick company, if thats what you want.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors