Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
spathak
Staff
Staff

Created on ‎10-16-2019 06:59 AM Edited on ‎04-23-2025 09:30 PM By Community Manager

Article Id 195128

Technical Tip: How to block specific external (public) IP address via IPv4 policy

Description


This article explains how to block some of the specific public IP addresses to enter the internal network of the FortiGate to protect the internal network. This is specific to configurations that already have inbound firewall policies allowing traffic internally to specific subnets that can be routable externally or that have a VIP as a destination. By default, traffic from external is not allowed internally without a firewall policy configured to allow externally initiated sessions.

 

Scope

 

FortiGate.

Solution


Step1: Create an address object

Go to Policy & Objects -> Addresses
Click on 'create new' and 'Address'

 
Category: Address
Name: Provide any name
Type: Subnet
Subnet / IP Range :   x.x.x.x/32   where x.x.x.x is the  specific public IP it is required to block
                                  x.x.x.x/24   where x.x.x.x is the subnet it is required to block and /24 is the subnet
 
 
Interface: Any
Click on 'OK' to apply the changes
 
Step2: Create IPv4 Policy

Go to Policy & Objects -> IPv4 policy
Click on 'create new '
Name: Provide any name
Incoming interface: WAN interface
Outgoing interface: LAN interface
Source: Select the address object, created above.
Destination: set it to "all"
Schedule: Always
Services: All
Action: Deny
NAT: Enable
Security Profiles:
Enable IPS
 
Click on 'OK' and place this policy to the top of the IPv4 policy list (by drag and drop) from the ID column.
 
 
 
 
Note:
In the latest firmware versions (above 7.0) the option for IPv4 policy is replaced with Firewall policy under Policy & Objects.
 

test.PNG

 

 

Note:

If a group of addresses requires to be blocked, select Addresses -> Address Group and select 'Create New'. 

 

Related article:

Troubleshooting Tip: VIP traffic not matching the firewall policy with an 'all' destination

 

Note:

V5.0 up to v6.4 are out of engineering support. These GUI sections might be different in higher versions.

Consider upgrading the firmware level on the device to a supported version (v7.0 up to v7.6). Check the firmware path and compatibility depending on the hardware.

116211
Suggest New Article
Article Feedback
Comments
jperezgonzalez
Staff
Staff
‎04-02-2025 09:40 AM

Note: In case a group of addresses require to be blocked, click on addresses select address group and click on create new: 

 

 
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.