Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
qalam
New Contributor

blocking incoming traffic from a specified ip addresses issue

Hi folks,

I am trying to block unwanted incoming traffic from a specified IP addresses but it doesn't work.

interface wan2  is connected to internet and  internal interface to my internal network. FortiOS version is 7.2.5.

Regards.

Screenshot 2023-10-05 at 19-00-08 FortiGate.png

5 REPLIES 5
spoojary
Staff
Staff
mpeddalla
Staff
Staff

Hello @qalam ,

 

Thank you for contacting the Fortinet Forum page.

 

As suggested by my colleague @spoojary  you can create a local in policy which would block before processing further to a firewall policy.

Local-in policy | FortiGate / FortiOS 7.2.5 | Fortinet Document Library

 

But in order to check why it is not blocking the incoming traffic based on firewall policy would recommend verifying logs under log& report -> forward logs.

-Also verify if there are any virtual IP configured on the internal private address, if yes configure match-vip enable under firewall policy which is available from cli 

refer to the below links for guidance :

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Firewall-does-not-block-incoming-WAN-to-LA...

-Make sure to move the firewall policy all the way to the top.

 

Best regards,

Manasa.

 

If you feel the above steps helped to resolve the issue mark the reply as solved so that other customers can get it easily while searching on similar scenarios.

 

 

qalam
New Contributor

@mpeddalla @spoojary Thank you, the best solution is to use local-in-policy because its impossible to create VIP in my case, the incoming traffic is targeting my wan interface and I am not publishing a service to internet or forwarding a certain traffic to my internal network.

mpeddalla

Hello @qalam ,

 

Thank you for confirming if you would like to create local-in-policy use the below link:

https://docs.fortinet.com/document/fortigate/7.2.5/administration-guide/363127

 

Best regards,

Manasa.

VinayHM
Staff
Staff

Hi @qalam 

 

If multiple unwanted IPs hitting means, you can create an address group and you can add all unwanted IPs in the group call in local in policy as destination and towards your wan IP as source, and set action as deny.

 

Regards,

Vinay HM
Top Kudoed Authors