Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

how to block External IP

I am new to useing this fortinet60 and I would like to know how to Block an range of external IP' s , such as 11.11.11.01 - 11.11.11.255 I bet its easy to do but I must be mising something. Thanx in advance for any help
13 REPLIES 13
Not applicable

Quite simple, If you want to deny a couple of IP' s from internal to external define address-range or group like 11.11.11.0/24 and in the policy set internal (block_range) to external (all) deny. Make it the first rule in the policy set. that' s it. Cheers, Eric
Not applicable

I' m looking to block External->Internal IP' s. I want to block certain External IP address' s from getting to the Internal side, which includes all ports for the specific External IP' s only. Thanx for the reply ! !
abelio
Valued Contributor

ORIGINAL: OlderMan I' m looking to block External->Internal IP' s. I want to block certain External IP address' s from getting to the Internal side, which includes all ports for the specific External IP' s only.
Is the default behaviour IF you don' t have policies external->internal for your specific block. IF don' t and IF you have explicit policies extrnal->internal involving this specific block, follow Servit advice. regards,

regards




/ Abel

regards / Abel
Not applicable

Not sure I fully understand. If it is possible to block External IP from getting Internal can you give a simple step-by-step example please ? I am rather new to configing this unit, before this I used the lame Linksys units.. Lol
abelio
Valued Contributor

man, 1) you don' t need anything to block external IP to gain access to internal lan because that' s is default behaviour: " Deny all Ext->Int -unless you need permit something-" 2) if you' ve permitted certain external or wan access to any inetrnal host or all internal network, and you need block some Ip-range, follow Servit' s above post advice. Before permit anything or connect your FGT box to te Internet, I suggest read docs and examples widely available for example: http://kc.forticare.com/default.asp?id=425&Lang=1&SID= is a good starting point.

regards




/ Abel

regards / Abel
Not applicable

servit' s advice was to block Internal to External. I want to reverse that. block External from getting to the Internal. I want to block only certain IP' s or small range of IP' s. This might be getting slightly off topice but can I force the unit to get a new IP ? With Linksys I could change the unit' s MAC & my Provider would give it a new IP, I have tried both rebooting this unit along with the cable-modem box and bringing down the wan1 interface along with power cycling the modem box, neither gave me a new IP. I do not have a static IP but have sometimes kept the same IP for months at a time.
Not applicable

It goes about the same way. Define the address range or if the IP' s are non continous. Like 193.14.15.20, 95.4.22.4 & 222.22.33.44 Then define the single ip' s as block-1 : 193.14.15.20, block-2 : 95.4.22.4 and block-3 : 222.22.33.44. Then define block-IPs as a group containing block-1, block-2 and block-3. Finally define policy external(block-IPs) to internal (internal-segment or all) DENY. Make it the first in the policy list. Cheers, Eric
Not applicable

Furthermore I would strongly advise to upgrade the firmware to MR11. ie build 489. Best regards, Eric
20twenty
New Contributor

We have had cause to try and do this today but can' t get it working either..... We have many policies that allow external all to the virtual ip' s for our websites in the dmz. We need to block one IP from accessing any of our sites. I created an address alias for the nuisance IP and then a policy at the top of external>dmz with this as the source, destination all, and service any. The IP is not blocked. If i change the destination to a specific virtual IP, the traffic is blocked. I have tried various destinations for this policy....all, an address alias with the our dmz subnet as the address, 0.0.0.0 and nothing works. Anybody any ideas?
Labels
Top Kudoed Authors