Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
KC_Hing
Staff
Staff

Created on ‎04-17-2023 10:50 PM Edited on ‎04-17-2023 10:50 PM By Community Manager

Article Id 252839

Technical Tip: Block IP address with DDoS attacks detection

Description

This article describes how to block a specific host permanently after an attack traffic is detected by the DDoS protection policy.
Scope FortiGate.
Solution

In this scenario, FortiGate has a DDoS policy configured to block the DOS attack traffic with a specific threshold and it is necessary want to block IP which indicates as an attack source.

 

Example:

1) Check the IP address of the host that triggered the anomaly.

 

# diag ips anomaly list

list nids meter:

id=tcp_port_scan      ip=10.129.2.76 dos_id=1 exp=2793 pps=13 freq=337

id=udp_scan           ip=10.129.2.76 dos_id=1 exp=2570 pps=0 freq=10

 

2) Configure the persistence option to keep banned IP across a power cycle.

 

# config firewall global

    set banned-ip-persistency permanent-only   

end

 

3) To add the host IP to the permanent banned-IP list.

 

# diagnose user banned-ip add src4 10.129.2.76 0 ips

# diagnose user banned-ip list

src-ip-addr         created                              expires                  cause           

10.129.2.76       Mon Apr 17 07:42:45 2023  indefinite               IPS         
Labels:
2654
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.