Hi Fortigate Gurus ;)
I d'like to block some "bad" sources. For that, I've added some addresses and georegions to a group and created a policy and ordered as first from wan1 to lan.
For example I d'like to block China
name : bad2lan srcintf : "wan1" dstintf : "internal" srcaddr : "bads" dstaddr : "all" rtp-nat : disable learning-mode : disable action : deny status : enable schedule : always schedule-timeout : disable service : "ALL" logtraffic : all logtraffic-start : disable session-ttl : 0 vlan-cos-fwd : 255 vlan-cos-rev : 255 wccp : disable groups : users : devices : natip : 0.0.0.0 0.0.0.0 diffserv-forward : disable diffserv-reverse : disable tcp-mss-sender : 0 tcp-mss-receiver : 0 comments : block-notification : disable custom-log-fields : tags : replacemsg-override-group: srcaddr-negate : disable dstaddr-negate : disable service-negate : disable captive-portal-exempt: disable ssl-mirror : disable ssl-mirror-intf : scan-botnet-connections: disable dsri : disable delay-tcp-npu-sessoin: disable send-deny-packet : disable match-vip : disable edit "bads" set member "geo_china" "geo_vietnam" "geo_korea" "geo_jordan" "geo_russia" "geo_indonesia" set comment "denied_sources"
edit "geo_china" set type geography set country "CN"
In the log I can see failed connection attemps denied by pollicyid 0
Message meets Alert condition date=2017-02-13 time=06:28:43 logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=222.186.58.35 srcport=43658 srcintf="wan1" dstip=xxx.xxx.xxx.xxx dstport=9200 dstintf="internal" poluuid=7ff66d8c-d7d4-51e6-9e08-69176710693d sessionid=37228 proto=6 action=deny policyid=0 policytype=policy dstcountry="Switzerland" srccountry="China" trandisp=dnat tranip=xxx.xxx.xxx.xxx tranport=9200 service="" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel=high
I'm wondering why my deny policy won't work.
Any toughts?
Best regards,
Markus
________________________________________________________
--- NSE 4 ---
________________________________________________________
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Do you have VIPs that it could be coming through on? You have match-vip disabled so the rule wouldn't catch those.
Hi,
Are you sure it´s not getting blocked ?
The message says "action=deny"
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
Hi, thank you
Yes, it's get blocked but at least from the implicit deny policy (id 0) not from my policy that I've created.
Best,
Markus
________________________________________________________
--- NSE 4 ---
________________________________________________________
Do you have VIPs that it could be coming through on? You have match-vip disabled so the rule wouldn't catch those.
Hi Tanr
Yes, have a VIP. Enabled match-vip does the trick. Thank you.
________________________________________________________
--- NSE 4 ---
________________________________________________________
Glad that was helpful. You're welcome.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.