Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to block certain port or IP address being accesses by internal IP (in correct way)?
Anyone,
I have block certain IP and certain port by using Firewall policies, but it seems does' nt work. Anyone can show me step by step to configure this?
Fortigate 200 MR9
System Engineer cum Network Engineer
Fortigate-200 2.80,build456,050704
System Engineer cum Network Engineer Fortigate-200 2.80,build456,050704
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First make sure all ' deny' rules are at the top of the rulebase, will allows at the bottom. if you already have this, then;
You may be falling into the ' netmask' trap that a lot of people do.
The key to remember is, by default, when adding a network object is the mask by default is for an entire subnet (255.255.255.0). So if you create a HOST object with your local ip range, ensure it has a HOST subnet, NOT the local lan subnet.
For example, to block host IP 192.168.1.1 (called pc1) from http' ing (port 80) outwards, you would do the following;
Create a new internal network address with the following settings;
NAME=pc1 IP=192.168.1.1 MASK=255.255.255.255
then create a rule at the TOP of the INT -> EXT rulebase saying;
SOURCE=pc1 DESTINATION=External_All SERVICE=HTTP ACTION=DENY
This will effectively block all outbound traffic to port 80 when it comes from this ip address.
Hope this helps
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
