Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

how to block External IP

I am new to useing this fortinet60 and I would like to know how to Block an range of external IP' s , such as 11.11.11.01 - 11.11.11.255 I bet its easy to do but I must be mising something. Thanx in advance for any help
13 REPLIES 13
Not applicable

Make sure the rule is ON TOP of the rule list. rules are evaluated in order!
20twenty
New Contributor

Yes, it' s 1st policy at the top of the list.
Not applicable

What is the spec of your deny rule?
Not applicable

I do not know what your actual configuration is like but I will give you an example. Note: This stupid forum keeps messing up my nice lay-out so you have to look a little close a the examples. VIP I do not know if its a static VIP or a Port Forwarding so ill give you both. A Port Forward:
 NAME       EXT_INT/EXT_IP     EXT_PORT  INT_IP       INT_PORT
 PF_HTTP    wan1/EXTERNAL_IP   tcp/80    INTERNAL_IP  tcp/80
 
or in case of static VIP:
 NAME     EXT_INT/EXT_IP    EXT_INT
 ST_SRV   wan1/EXTERNAL_IP  INTERNAL_IP 
 
Policy Well next comes the policy part. You will need two policy' s, a deny first for the address that are giving you problems and a accept for all the rest. You will need to make a object for all the address and put them into a group. Ill will call this group GRP_AC_DENY for this example. I am also going to user PF_HTTP as destination. So if you have a static VIP use the other VIP ST_SRV.
 WAN1 -> Internal 
 SRC             DST       Schedule    Service    Action
 GRP_AC_DENY     PF_HTTP   always        HTTP     DENY
 all             PF_HTTP   always        HTTP     ACCEPT
 
That should do the trick. This will deny all access from the group and give access to all others. Hope it helps. Regards, Adrian
Labels
Top Kudoed Authors