Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

What is/are your way(s) to block the target from accessing your servers?



I am looking for "the best way" to block an Ip address from the internet to access my servers.


One funny man just tells me to


1. create a loopback interface on Fortigate


2. create an object group, enable the "Static route configuration", and add those BlackList IP addresses to that object group


3. Add a static route, Dst set to the object group, Route interface: The loopback one


So, the "return traffic" is eliminated. 



Well, I then find a KB from Fortinet and just have a Firewall policy with "match-vip enable" to block the target.

Technical Tip: Firewall does not block incoming (W... - Fortinet Community


So, what is/are the difference(s) between both methods?


And, are there even benefits if we are using the Funny guy's solution? Like CPU loading / Memory loading ... anything is better than the match-vip.

New Contributor III

Hello Mr Potato.


The funny man is not wrong, this is a way to block the traffic, but you became vulnerable to a DoS situation, because the traffic routed to the loopback or blackhole would still appear on your session table until the ttl expires.


The best way is to create a blacklist policy with the "match-vip enable" parameter. This way traffic is actually blocked by the firewall policy. The match vip is necessary in order to the top-down order of policy check to be respected even when it comes to vip objects.


the loopback/blackhole solution works, but can lead to a conserve mode/DoS situation due to the session table size. This is normally done on routers.


To elaborate a bit on tio3udes solution:
- create a policy with 'match-vip' enable (or clone your existing VIP policy)
- set the source to the IPs you want to block
- set action to deny

- put this policy above the regular VIP policy in the policy table

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors