Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Potato168
New Contributor

What is/are your way(s) to block the target from accessing your servers?

Hello,

 

I am looking for "the best way" to block an Ip address from the internet to access my servers.

 

One funny man just tells me to

 

1. create a loopback interface on Fortigate

 

2. create an object group, enable the "Static route configuration", and add those BlackList IP addresses to that object group

 

3. Add a static route, Dst set to the object group, Route interface: The loopback one

 

So, the "return traffic" is eliminated. 

 

 

Well, I then find a KB from Fortinet and just have a Firewall policy with "match-vip enable" to block the target.

Technical Tip: Firewall does not block incoming (W... - Fortinet Community

 

So, what is/are the difference(s) between both methods?

 

And, are there even benefits if we are using the Funny guy's solution? Like CPU loading / Memory loading ... anything is better than the match-vip.

2 REPLIES 2
tio3udes
New Contributor III

Hello Mr Potato.

 

The funny man is not wrong, this is a way to block the traffic, but you became vulnerable to a DoS situation, because the traffic routed to the loopback or blackhole would still appear on your session table until the ttl expires.

 

The best way is to create a blacklist policy with the "match-vip enable" parameter. This way traffic is actually blocked by the firewall policy. The match vip is necessary in order to the top-down order of policy check to be respected even when it comes to vip objects.

 

the loopback/blackhole solution works, but can lead to a conserve mode/DoS situation due to the session table size. This is normally done on routers.

ti03udes
ti03udes
Debbie_FTNT

To elaborate a bit on tio3udes solution:
- create a policy with 'match-vip' enable (or clone your existing VIP policy)
- set the source to the IPs you want to block
- set action to deny

- put this policy above the regular VIP policy in the policy table

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors