Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Potato168
New Contributor II

Created on ‎04-19-2022 03:56 AM

What is/are your way(s) to block the target from accessing your servers?

Hello,

 

I am looking for "the best way" to block an Ip address from the internet to access my servers.

 

One funny man just tells me to

 

1. create a loopback interface on Fortigate

 

2. create an object group, enable the "Static route configuration", and add those BlackList IP addresses to that object group

 

3. Add a static route, Dst set to the object group, Route interface: The loopback one

 

So, the "return traffic" is eliminated. 

 

 

Well, I then find a KB from Fortinet and just have a Firewall policy with "match-vip enable" to block the target.

Technical Tip: Firewall does not block incoming (W... - Fortinet Community

 

So, what is/are the difference(s) between both methods?

 

And, are there even benefits if we are using the Funny guy's solution? Like CPU loading / Memory loading ... anything is better than the match-vip.

Labels:
1469
0 Kudos
2 REPLIES 2
tio3udes
New Contributor III

Created on ‎04-19-2022 05:18 AM

Hello Mr Potato.

 

The funny man is not wrong, this is a way to block the traffic, but you became vulnerable to a DoS situation, because the traffic routed to the loopback or blackhole would still appear on your session table until the ttl expires.

 

The best way is to create a blacklist policy with the "match-vip enable" parameter. This way traffic is actually blocked by the firewall policy. The match vip is necessary in order to the top-down order of policy check to be respected even when it comes to vip objects.

 

the loopback/blackhole solution works, but can lead to a conserve mode/DoS situation due to the session table size. This is normally done on routers.

ti03udes
ti03udes
1420
0 Kudos
Debbie_FTNT
Staff
Staff
In response to tio3udes

Created on ‎04-19-2022 08:38 AM

To elaborate a bit on tio3udes solution:
- create a policy with 'match-vip' enable (or clone your existing VIP policy)
- set the source to the IPs you want to block
- set action to deny

- put this policy above the regular VIP policy in the policy table

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
1412
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.