Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
qalam
New Contributor

Created on ‎10-05-2023 12:59 PM

blocking incoming traffic from a specified ip addresses issue

Hi folks,

I am trying to block unwanted incoming traffic from a specified IP addresses but it doesn't work.

interface wan2  is connected to internet and  internal interface to my internal network. FortiOS version is 7.2.5.

Regards.

Screenshot 2023-10-05 at 19-00-08 FortiGate.png

Labels:
2812
0 Kudos
5 REPLIES 5
spoojary
Staff
Staff

Created on ‎10-05-2023 01:13 PM

Create a local in policy : https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/363127/local-in-policy#:~:te....

Siddhanth Poojary
2805
mpeddalla
Staff
Staff

Created on ‎10-05-2023 05:50 PM Edited on ‎10-05-2023 05:51 PM

Hello @qalam ,

 

Thank you for contacting the Fortinet Forum page.

 

As suggested by my colleague @spoojary  you can create a local in policy which would block before processing further to a firewall policy.

Local-in policy | FortiGate / FortiOS 7.2.5 | Fortinet Document Library

 

But in order to check why it is not blocking the incoming traffic based on firewall policy would recommend verifying logs under log& report -> forward logs.

-Also verify if there are any virtual IP configured on the internal private address, if yes configure match-vip enable under firewall policy which is available from cli 

refer to the below links for guidance :

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Firewall-does-not-block-incoming-WAN-to-LA...

-Make sure to move the firewall policy all the way to the top.

 

Best regards,

Manasa.

 

If you feel the above steps helped to resolve the issue mark the reply as solved so that other customers can get it easily while searching on similar scenarios.

 

 

Manasa
2777
qalam
New Contributor

Created on ‎10-05-2023 08:48 PM

@mpeddalla @spoojary Thank you, the best solution is to use local-in-policy because its impossible to create VIP in my case, the incoming traffic is targeting my wan interface and I am not publishing a service to internet or forwarding a certain traffic to my internal network.

2766
0 Kudos
mpeddalla
Staff
Staff
In response to qalam

Created on ‎10-07-2023 11:19 AM

Hello @qalam ,

 

Thank you for confirming if you would like to create local-in-policy use the below link:

https://docs.fortinet.com/document/fortigate/7.2.5/administration-guide/363127

 

Best regards,

Manasa.

Manasa
2737
0 Kudos
VinayHM
Staff
Staff

Created on ‎10-09-2023 10:20 PM

Hi @qalam 

 

If multiple unwanted IPs hitting means, you can create an address group and you can add all unwanted IPs in the group call in local in policy as destination and towards your wan IP as source, and set action as deny.

 

Regards,

Vinay HM
2584
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.