I recently added a cellular internet back up service to our Fotigate. For the last 2 or 3 weeks I have recieved over 1000 "Login Denied" email alerts. I would like to block all public ip addresses but I have not found a good step by step using the web interface (I don't use CLI). Can someone point me in the right direction?
I have a Fortigate FG60F with version 7.0.16 build0667. I cuurently have the backup internet unplugged.
Solved! Go to Solution.
Hi @RonBrow ,
To block all public IP addresses, you may just disable Allowaccess services on the web interface.
Meanwhile, you may create a Local-in policy with the web interface. all public IP addresses as the source with Deny action.
https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/363127/local-in-policy
What you can do:
1) Create one local-in policy, create private subnets as firewall address objects and apply in this local-in policy with Allow action if you need to allow private subnets to access this interface, otherwise, skip this step;
2) Create a second local-in policy below the first one, use "all" for source/destination addresses and Deny action.
This will block/deny all public IP addresses to access this web interface only.
Hi @RonBrow ,
To block all public IP addresses, you may just disable Allowaccess services on the web interface.
Meanwhile, you may create a Local-in policy with the web interface. all public IP addresses as the source with Deny action.
https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/363127/local-in-policy
What you can do:
1) Create one local-in policy, create private subnets as firewall address objects and apply in this local-in policy with Allow action if you need to allow private subnets to access this interface, otherwise, skip this step;
2) Create a second local-in policy below the first one, use "all" for source/destination addresses and Deny action.
This will block/deny all public IP addresses to access this web interface only.
By the way, 1000 failed attempts for 2 weeks means 71.4/day. That's actually not bad. I think I got much more SSL VPN failed attempts at my home FGT until I blocked almost all except a few known source IPs by a set of local-in-policy.
7.4 and before, local-in-policy can be configured only in CLI. It might be a good opportunity to learn CLI.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.