Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kkeane
New Contributor

Blocking a list of IP addresses?

FortiOS 5.2.2 on an FWF40

 

I'm looking for a way to block a fairly large, and dynamic, list of IP addresses, managed from the CLI. There will probably be 1000 or more individual IP addresses, in various places all over the Internet. The use case is that I want to use the denyhosts script on my Linux servers to detect brute-force attempts, and block the IP addresses it collects not just within the server, but at the Fortigate level.

 

With a small and static list of IP addresses, this is of course fairly straightforward:

- config firewall address for each of the addresses

- config firewall addrgroup and add each of the addresses to the group

- config firewall policy to deny all traffic from that group.

 

I don't think this approach scales well to a large list of IP addresses, nor does it lend itself to frequent updates.

Is there a better way I could accomplish the same thing?

 

1 Solution
Dave_Hall
Honored Contributor

Use the search feature at the top of this page -- you should be able to find some posts involving scripting a solution to what you are requesting.   Keep in mind that there is a hard-coded limit to the number of firewall addresses/address groups that you can create. 

   

Considering you are using a WFW40, you may run into performance issues -- you may want to look into other means to block unwanted IP addresses, including setting up trusthost admin access, allowaccess on the interface, blocking IP by country region (geography), and local-in-policy.           

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

View solution in original post

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
2 REPLIES 2
Dave_Hall
Honored Contributor

Use the search feature at the top of this page -- you should be able to find some posts involving scripting a solution to what you are requesting.   Keep in mind that there is a hard-coded limit to the number of firewall addresses/address groups that you can create. 

   

Considering you are using a WFW40, you may run into performance issues -- you may want to look into other means to block unwanted IP addresses, including setting up trusthost admin access, allowaccess on the interface, blocking IP by country region (geography), and local-in-policy.           

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
kkeane
New Contributor

I tried the search first, of course, but didn't find anything to answer my question.

Agreed re. there being a performance penalty (and also the probability that there is a limit on the number of objects FortiOS can handle). That's what I had mind when I was concerned about scalability. I was hoping for something like Linux' ipset, which was created specifically to address those issues within iptables.

 

In any case, thank you for your reply!

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors