Created on 01-02-2024 07:52 AM Edited on 02-26-2024 05:10 AM By Kate_M
Dear All,
I have a to fulfil the security policy on the fortigate of the following, just wonder what firewall policy i need to create in order to meet below security concern ? any help would be appreicated
Ensure firewall policy denying all traffic to/from Tor, maliciousserver, or scanner IP addresses using ISDB
Rationale:
FortiGate includes Tor or malicious server related IP address using ISDB. The idea is to
filter out malicious traffic using firewall policies as first level filtering. This is done without
involving more resource intensive processes such as IPS inspection, hence optimizing
FortiGate's performance.
Audit:
Go to "Policy & Objects".
Validate that there is a firewall policy created to block inbound connections from
sources named "Tor-Exit.Node", "Tor-Relay.Node", "Censys-Scanner", "ShodanScanner", and "Malicious-Malicious.Server" on "All" services.
Validate that there is a firewall policy created to block outbound connections to
destination named "Tor-Relay.Node" and "Malicious-Malicious.Server".
Remediation:
Review firewall policies and ensure there are:
1. A firewall policy created to block inbound connections with these settings:
From: Any
To: Any
Source: "Tor-Exit.Node", "Tor-Relay.Node", "Censys-Scanner", "ShodanScanner", and "Malicious-Malicious.Server"
Destination: all
Schedule: Always
Services: All
Action: Deny
Log Violation Traffic: Enabled
Enable this policy: Enabled
2. A firewall policy created to block outbound connections with these settings:
Page 87
From: Any
To: Any
Source: All
Destination: "Tor-Relay.Node" and "Malicious-Malicious.Server"
Schedule: Always
Action: Deny
Log Violation Traffic: Enabled
Enable this policy: Enabled
Piaakit
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Based on the policy you posted, it seems like an attempt to block TOR and malicious traffic from entering the internal network. However, this policy might not have been effective because anyone attempting to access behind the firewall needs a configured VIP (Virtual IP) or a Virtual Server to reach the services behind the firewall. When someone tries to access the firewall, they only have the destination IP configured on the firewall, but the firewall doesn't know where to route the traffic, resulting in a match with the implicit deny policy.
Nevertheless, Policy 87 appears to be correctly configured to block inbound-to-outbound traffic.
Please update the thread if there is any confusion on my part in understanding the issue
@piaakit1210 Based on details and requirements , you can configured firewall policy as you mentioned,
From: Any
To: Any
Source: All
Destination: "Tor-Relay.Node" and "Malicious-Malicious.Server"
Schedule: Always
Action: Deny
Log Violation Traffic: Enabled
Enable this policy: Enabled
For policy configuration, you can simply follow below documents:
Based on the policy you posted, it seems like an attempt to block TOR and malicious traffic from entering the internal network. However, this policy might not have been effective because anyone attempting to access behind the firewall needs a configured VIP (Virtual IP) or a Virtual Server to reach the services behind the firewall. When someone tries to access the firewall, they only have the destination IP configured on the firewall, but the firewall doesn't know where to route the traffic, resulting in a match with the implicit deny policy.
Nevertheless, Policy 87 appears to be correctly configured to block inbound-to-outbound traffic.
Please update the thread if there is any confusion on my part in understanding the issue
basically a FGT functions this way:
it per default blocks everything that is not explicitely allowed by policy.
This is done by default Policy #0 which will match everything that is not matched by annother policy before it.
So all you got to do is to allow the traffic you want to allow and everything else is blocked anyways.
Then probably apply some UTM profiles to even filter the allowed traffc.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1105 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.