Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
piaakit1210
New Contributor III

Firewall policy denying all traffic question

Dear All, 

 

             I have a to fulfil the security policy on the fortigate of the following, just wonder what firewall policy i need to create in order to meet below security concern ? any help would be appreicated 

 

Ensure firewall policy denying all traffic to/from Tor, maliciousserver, or scanner IP addresses using ISDB 

 

Rationale:
FortiGate includes Tor or malicious server related IP address using ISDB. The idea is to
filter out malicious traffic using firewall policies as first level filtering. This is done without
involving more resource intensive processes such as IPS inspection, hence optimizing
FortiGate's performance.
Audit:
Go to "Policy & Objects".
Validate that there is a firewall policy created to block inbound connections from
sources named "Tor-Exit.Node", "Tor-Relay.Node", "Censys-Scanner", "ShodanScanner", and "Malicious-Malicious.Server" on "All" services.
Validate that there is a firewall policy created to block outbound connections to
destination named "Tor-Relay.Node" and "Malicious-Malicious.Server".
Remediation:
Review firewall policies and ensure there are:
1. A firewall policy created to block inbound connections with these settings:
From: Any
To: Any
Source: "Tor-Exit.Node", "Tor-Relay.Node", "Censys-Scanner", "ShodanScanner", and "Malicious-Malicious.Server"
Destination: all
Schedule: Always
Services: All
Action: Deny
Log Violation Traffic: Enabled
Enable this policy: Enabled

 


2. A firewall policy created to block outbound connections with these settings:
Page 87
From: Any
To: Any
Source: All
Destination: "Tor-Relay.Node" and "Malicious-Malicious.Server"
Schedule: Always
Action: Deny
Log Violation Traffic: Enabled
Enable this policy: Enabled

 

Piaakit

1 Solution
maulishshah
Staff
Staff

@piaakit1210 ,

 

Based on the policy you posted, it seems like an attempt to block TOR and malicious traffic from entering the internal network. However, this policy might not have been effective because anyone attempting to access behind the firewall needs a configured VIP (Virtual IP) or a Virtual Server to reach the services behind the firewall. When someone tries to access the firewall, they only have the destination IP configured on the firewall, but the firewall doesn't know where to route the traffic, resulting in a match with the implicit deny policy.

 

Nevertheless, Policy 87 appears to be correctly configured to block inbound-to-outbound traffic.

 

Please update the thread if there is any confusion on my part in understanding the issue

Maulish Shah

View solution in original post

3 REPLIES 3
SAJUDIYA
Staff
Staff

@piaakit1210 Based on details and requirements , you can configured firewall policy as you mentioned,

From: Any
To: Any
Source: All
Destination: "Tor-Relay.Node" and "Malicious-Malicious.Server"
Schedule: Always
Action: Deny
Log Violation Traffic: Enabled
Enable this policy: Enabled

 

For policy configuration, you can simply follow below documents:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Creating-a-Deny-Policy-using-Internet-Serv...

TAC
maulishshah
Staff
Staff

@piaakit1210 ,

 

Based on the policy you posted, it seems like an attempt to block TOR and malicious traffic from entering the internal network. However, this policy might not have been effective because anyone attempting to access behind the firewall needs a configured VIP (Virtual IP) or a Virtual Server to reach the services behind the firewall. When someone tries to access the firewall, they only have the destination IP configured on the firewall, but the firewall doesn't know where to route the traffic, resulting in a match with the implicit deny policy.

 

Nevertheless, Policy 87 appears to be correctly configured to block inbound-to-outbound traffic.

 

Please update the thread if there is any confusion on my part in understanding the issue

Maulish Shah
sw2090
SuperUser
SuperUser

basically a FGT functions this way:

 

it per default blocks everything that is not explicitely allowed by policy.

This is done by default Policy #0 which will match everything that is not matched by annother policy before it.

So all you got to do is to allow the traffic you want to allow and everything else is blocked anyways.

Then probably apply some UTM profiles to even filter the allowed traffc.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors