- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Blocking Private VPN IPs
We currently use Geoblocking to block access to external web servers from "unfriendly countries." This works quite well. However, we still receive a lot of malicious attacks from IPs from "friendly countries." The majority of these IPs originate from private VPN providers. Is there a way to block access from these IPs? Thanks.
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If other legit accesses come from the same IPs, you obviously can't block it by "IPs" at L3 level.
Toshi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. I would like a "Private VPN" object that Fortinet provides, similar to the Geoblock Country object list, that Fortinet provides now. This would allow us to block all access from Private VPN IPs; the list would be updated as part of the regular security updates.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can also setup threat feed
https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/9463/threat-feeds
Salon Raj Joshi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see "VPN-Anonymous.VPN" category in the internet service list when I seached with a keyword "VPN".
https://www.fortiguard.com/search?q=VPN&engine=1&type=isdb
It says "VPN - Servers providing Anonymizing VPN service, such as NordVPN". If this is what you're looking for you can use it in the policy as a source address to block them.
Toshi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do not have the option to create a new address object based on "Anonymizing VPN Service."
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like Fortinet used to have this option: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-incoming-traffic-from-anonymi...
The "Anonymous Proxy" option is no longer there.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you saying you can't see this in a policy?
By the way, if you're using a VIP for webserver then put a deny policy in like this above the VIP policy, you need to enable "match-vip" as described in the KB:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-VIP-traffic-not-matching-the-firewal...
Toshi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We use a Netscaler to front the web servers now. So yes, we use "VIP," but on the Netscaler, not the Fortigate. The Netscalers are behind the Fortigate. If I try to add the way you illustrate in your screenshot, I receive a message "Source addresses/groups must have different IP versions than source Internet Services."
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Of course my snippet was not "complete". I just showed how to add the "VPN" category. You have to finish all config to match your environment including the destination IP.
If still doesn't work, share us the screenshot.
Toshi