Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
peter-supply
New Contributor

Created on ‎12-06-2024 09:03 AM

Blocking Private VPN IPs

We currently use Geoblocking to block access to external web servers from "unfriendly countries."  This works quite well.  However, we still receive a lot of malicious attacks from IPs from "friendly countries."  The majority of these IPs originate from private VPN providers.  Is there a way to block access from these IPs?  Thanks.

Labels:
519
0 Kudos
11 REPLIES 11
Toshi_Esumi
SuperUser
SuperUser

Created on ‎12-06-2024 09:15 AM

If other legit accesses come from the same IPs, you obviously can't block it by "IPs" at L3 level.

 

Toshi

409
0 Kudos
peter-supply
New Contributor

Created on ‎12-06-2024 09:19 AM

Thanks.  I would like a "Private VPN" object that Fortinet provides, similar to the Geoblock Country object list, that Fortinet provides now.  This would allow us to block all access from Private VPN IPs; the list would be updated as part of the regular security updates.

407
0 Kudos
sjoshi
Staff
Staff
In response to peter-supply

Created on ‎12-06-2024 09:39 AM

You can also setup threat feed

https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/9463/threat-feeds

Let us know if this helps.
Salon Raj Joshi
398
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎12-06-2024 09:39 AM

I see "VPN-Anonymous.VPN" category in the internet service list when I seached with a keyword "VPN".
https://www.fortiguard.com/search?q=VPN&engine=1&type=isdb
It says "VPN - Servers providing Anonymizing VPN service, such as NordVPN". If this is what you're looking for you can use it in the policy as a source address to block them.

Toshi

398
0 Kudos
peter-supply
New Contributor
In response to Toshi_Esumi

Created on ‎12-06-2024 09:50 AM

I do not have the option to create a new address object based on "Anonymizing VPN Service."

387
0 Kudos
peter-supply
New Contributor
In response to peter-supply

Created on ‎12-06-2024 09:57 AM

Looks like Fortinet used to have this option: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-incoming-traffic-from-anonymi...

 

The "Anonymous Proxy" option is no longer there.

369
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to peter-supply

Created on ‎12-06-2024 10:02 AM

Are you saying you can't see this in a policy?
AnonyVPN.png

 

By the way, if you're using a VIP for webserver then put a deny policy in like this above the VIP policy, you need to enable "match-vip" as described in the KB:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-VIP-traffic-not-matching-the-firewal...

 

Toshi

362
0 Kudos
peter-supply
New Contributor

Created on ‎12-06-2024 10:08 AM

We use a Netscaler to front the web servers now.  So yes, we use "VIP," but on the Netscaler, not the Fortigate.  The Netscalers are behind the Fortigate.  If I try to add the way you illustrate in your screenshot, I receive a message "Source addresses/groups must have different IP versions than source Internet Services."

357
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to peter-supply

Created on ‎12-06-2024 10:18 AM

Of course my snippet was not "complete". I just showed how to add the "VPN" category. You have to finish all config to match your environment including the destination IP.
If still doesn't work, share us the screenshot.

Toshi

344
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.