IP blocking in fortigate 1200D on particular policy

Umesh · ‎03-29-2022

Dear All,

Can anyone tell us how many IP can we block on particular policy for instance -

Lets suppose we have created one policy on fortigate firewall and I want to block one by one ip so how many IP can we block and is there any limitation on firewall policy.

Actually the thing is that we have to block around 10000 IP on fortigate firewall.

Regards,

Umesh Prajapati

AlexC-FTNT · ‎03-29-2022

Hello Umesh,

Blocking IPs in a policy one by one is probably not the best approach to... anything that has more than 20-30IPs.

You can use DDoS, GeoIP to block by country, external resources to store these IPs as a file on an external server, or use trusted hosts for admin users managing the unit.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-External-threat-list-threat-feed-blocked-v...

The public IPs that are showing attacks are too many to block like this, and changing too often to be worth the effort of setting up such policy, and also an effort to maintain it trough the GUI.

However, there is no limit to the number of objects in the policy, but there is a limit of the total address objects in the FortiGate (version dependant):

https://docs.fortinet.com/max-value-table
(select your unit and firmware version, and search for firewall.address)

- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -

Toshi_Esumi · ‎03-29-2022

Just keep it in mind that if you want to block access to your FGT, like VPNs, HTTPS, SSH, etc., you need to use local-in policy instead. Regular policies are for coming through traffic, from one interface to another interface.

Toshi

IP blocking in fortigate 1200D on particular policy

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website