We currently use Geoblocking to block access to external web servers from "unfriendly countries." This works quite well. However, we still receive a lot of malicious attacks from IPs from "friendly countries." The majority of these IPs originate from private VPN providers. Is there a way to block access from these IPs? Thanks.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
If other legit accesses come from the same IPs, you obviously can't block it by "IPs" at L3 level.
Toshi
Thanks. I would like a "Private VPN" object that Fortinet provides, similar to the Geoblock Country object list, that Fortinet provides now. This would allow us to block all access from Private VPN IPs; the list would be updated as part of the regular security updates.
You can also setup threat feed
https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/9463/threat-feeds
I see "VPN-Anonymous.VPN" category in the internet service list when I seached with a keyword "VPN".
https://www.fortiguard.com/search?q=VPN&engine=1&type=isdb
It says "VPN - Servers providing Anonymizing VPN service, such as NordVPN". If this is what you're looking for you can use it in the policy as a source address to block them.
Toshi
I do not have the option to create a new address object based on "Anonymizing VPN Service."
Looks like Fortinet used to have this option: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-incoming-traffic-from-anonymi...
The "Anonymous Proxy" option is no longer there.
Are you saying you can't see this in a policy?
By the way, if you're using a VIP for webserver then put a deny policy in like this above the VIP policy, you need to enable "match-vip" as described in the KB:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-VIP-traffic-not-matching-the-firewal...
Toshi
We use a Netscaler to front the web servers now. So yes, we use "VIP," but on the Netscaler, not the Fortigate. The Netscalers are behind the Fortigate. If I try to add the way you illustrate in your screenshot, I receive a message "Source addresses/groups must have different IP versions than source Internet Services."
Of course my snippet was not "complete". I just showed how to add the "VPN" category. You have to finish all config to match your environment including the destination IP.
If still doesn't work, share us the screenshot.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.