Block traffic with IP from the black list (not only spam)
I have FortiGate 200F.
I detect various disturbing connections from different addresses. At the moment, the intense ones - I manually add to the blocked. Unfortunately, it is not effective and very engaging.
These addresses are usually on some blacklists, such as zen.spamhaus.org. I am sure that a device of this class can automate the blocking of traffic coming from addresses on blacklists. But I don't know how to set it up. Any advice?
Security Profiles > DNS Filter > profile > External IP Block Lists options.
Is this the right direction?
Do you have any addresses attached to them that you can share?
Hi, DNS Filter is for LAN/Internal users potentially browsing to malicious sites on the Internet. As I understand you observe incoming from the Internet potentially bad IPs, for this you'd rather use External Fabric Connector to set Fortigate dynamically download 3rd party threat feeds and then use them in WAN -> LAN rules with action Block.
Excellent response from Yurisk already. Just want to add you can also set up IPS filters (if you have that feature via FortiGuard subscription) to automatically detect attacks and block them and optionally quarantine the attacking IP addresses.
Thank you all for the tips. The easiest for me was from @dairu. I added a few lists, but for example I was not able to add: http://wget-mirrors.uceprotect.net/rbldnsd-all/dnsbl-2.uceprotect.net.gz (bad format). I also created my own file where I manually add addresses, but it doesn't make sense - what I will block in a moment, the "enemy" tries from a different address anyway. The never ending story.
@gfleming - I set a high security IPS profile for the policy but I don't see any effect - still huge traffic on port 53.
OK let's explore a bit more the exact nature of the traffic you are seeing. Lots of traffic on port 53 could be evidence of a DDOS attack. Can you share what the traffic looks like. Is it many different sources hitting your IP on port 53?
Do you have port 53 open and exposed on the internet? If so, you might want to reconsider as most people do not need it. If not, then check DOS policy:
OK, I'll try what you advise. You mention about IPS rules. I set up WAN to DMZ traffic with IPS "high security" which means - "Blocks all Critical/High/Medium and some Low severity vulnerabilities". But that doesn't work in this case (do you personally have WAN to DMZ traffic set to this profile? I mean is this the recommended setting or rather just for extreme situations and it's better to work with the default profile?).
So now I know that I should add to it with DOS policy. At the moment, I have one: from WAN to all and action - monitor. And that's my problem with attacks.
Would it be possible to show a screenshot of what this section looks like for you?
Can you explain further why you need DNS open to the internet? There's likely a better way to do what you are doing.
Either way, you need to also understand that by default some IPS signatures are enabled in IPS high security but they aren't default set to block. Such as DNS.Pointer.Loop. Please review your signatures and ensure they are acting as you need.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.