- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
blocking incoming traffic from a specified ip addresses issue
Hi folks,
I am trying to block unwanted incoming traffic from a specified IP addresses but it doesn't work.
interface wan2 is connected to internet and internal interface to my internal network. FortiOS version is 7.2.5.
Regards.
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Create a local in policy : https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/363127/local-in-policy#:~:te....
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @qalam ,
Thank you for contacting the Fortinet Forum page.
As suggested by my colleague @spoojary you can create a local in policy which would block before processing further to a firewall policy.
Local-in policy | FortiGate / FortiOS 7.2.5 | Fortinet Document Library
But in order to check why it is not blocking the incoming traffic based on firewall policy would recommend verifying logs under log& report -> forward logs.
-Also verify if there are any virtual IP configured on the internal private address, if yes configure match-vip enable under firewall policy which is available from cli
refer to the below links for guidance :
-Make sure to move the firewall policy all the way to the top.
Best regards,
Manasa.
If you feel the above steps helped to resolve the issue mark the reply as solved so that other customers can get it easily while searching on similar scenarios.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@mpeddalla @spoojary Thank you, the best solution is to use local-in-policy because its impossible to create VIP in my case, the incoming traffic is targeting my wan interface and I am not publishing a service to internet or forwarding a certain traffic to my internal network.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @qalam ,
Thank you for confirming if you would like to create local-in-policy use the below link:
https://docs.fortinet.com/document/fortigate/7.2.5/administration-guide/363127
Best regards,
Manasa.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @qalam
If multiple unwanted IPs hitting means, you can create an address group and you can add all unwanted IPs in the group call in local in policy as destination and towards your wan IP as source, and set action as deny.
Regards,
