Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor II

Blocking by region and stopping attempted logins

I have many corporate Fortinet firewalls in play, but finally just went and bought one for myself (a 60e, great for home internet and labs) so am posting with my personal acct - and am seeing the following weird issue.  


I have created an address group blocking a number of countries (Russia and China primarily, seeing attempted connectoin attempts from various IP's).


While I do 'allow' SSH on wan1, the administrator super_admin and my acct profile_admin are only allowed from certain IP ranges (my inside subnets and the VPN DHCP range I hand out when I connect to my own network from outside) so that's already fairly locked down.

I am seeing logs denying 'admin' by blocked IP because it falls outside trustedhosts range, but if the bots try any other account (that does NOT exist on the Fortinet) it allows the connection to try passwords and then of course fails because there's no such account. 


I have created a deny policy referencing the regions and put wan1/wan1 as the from/to because this isn't hitting a VIP, it's just SSH attempts to wan1. 

Screenshot from 2024-03-12 17-19-34.png

Screenshot from 2024-03-12 17-07-11.png
yes, despite being policy #7, it's ordered to the top of the list so it's the first policy processed when traffic hits wan1

Screenshot from 2024-03-12 17-18-45.png

What I was hoping would happen here is that the policy would deny even the attempted connection from source IP's that match the regions and my address group BEFORE allowing the SSH connection and attempting authentication.  I have tested this from another static IP that I added to the group and the hitcount does not increase (show matching logs shows nothing hitting the policy at all)

What's happening here where a bad acct can attempt to log in from a region blocked IP but a known acct filters based on the trustedhosts?


These are slow attempts, maybe a few to up to a dozen a day, so definitely not killing my bandwidth, stressing the firewall, or causing any disruptions, but I would still want to deny ANY connections from those regions.


Looking for advice and guidance here. 



1 Solution

Hi @FractalSphere,


Do you have trusted hosts configured for all admin accounts? You can use local-in-policy to block incoming connections to the FortiGate. Please refer to



View solution in original post

New Contributor

While you've restricted SSH access to certain IP ranges for specific accounts, you're still seeing login attempts for non-existent accounts from blocked IPs of Wwe 2k14. You might want to consider implementing additional security measures like rate limiting or intrusion detection to further protect your network.


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors