Description |
This article describes how to block a specific host permanently after an attack traffic is detected by the DDoS protection policy. |
Scope | FortiGate. |
Solution |
In this scenario, FortiGate has a DDoS policy configured to block the DOS attack traffic with a specific threshold and it is necessary want to block IP which indicates as an attack source.
Example: 1) Check the IP address of the host that triggered the anomaly.
# diag ips anomaly list list nids meter: id=tcp_port_scan ip=10.129.2.76 dos_id=1 exp=2793 pps=13 freq=337 id=udp_scan ip=10.129.2.76 dos_id=1 exp=2570 pps=0 freq=10
2) Configure the persistence option to keep banned IP across a power cycle.
# config firewall global set banned-ip-persistency permanent-only end
3) To add the host IP to the permanent banned-IP list.
# diagnose user banned-ip add src4 10.129.2.76 0 ips # diagnose user banned-ip list src-ip-addr created expires cause 10.129.2.76 Mon Apr 17 07:42:45 2023 indefinite IPS |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.