Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jenslovesfortigate
New Contributor

How to block traffic based on hostname or FQDN of bad bots on Fortigate 60D

Hey, I hope someone can help me. I use a Fortigate 60D as my external firewall. I have a Windows 2019 web server running a website on IIS. I am getting lots of robots on my website. I have already blocked other countries by adding a country block. It works perfectly. But now I am dealing with bad bots based in the United States visiting my website. This is an example of a visitor I would like to block:

 

ISP: The Shadow Server Foundation
Usage type: Data Center/Web Hosting/Transit
Hotname: scan-40l.shadowserver.org
Domain: shadowserver.org
 

Country: United States

 

City: Pleasanton, California

 

I believe the way to block this is by

1) Creating an FQDN entry under Policy & Objects > Addresses with shadowserver.org or *.shadowserver.org (wildcard) - or do I need to do both?

2) Then creating an IPv4 Policy to "Deny" incoming traffic to the FQDN address I created.

 

Is that correct? Am I missing something?

 

Also, in some cases the hostname and domain name of some of the bad bots are different. Which of the two do I select as the FQDN. I want to make sure I don't accidentally block good traffic.

 

If anyone could clear things up for me, that would be helpful. I am new to Firewalling but so far I love Fortigate. Seems like the community is pretty robust and willing to help.

 

PS: I have seen videos that teaches how to block common bots and bad actors with threat feeds but I think I need to subscribe to Fortiguard but I am not subscribed to it.

1 REPLY 1
ac1
Contributor

You can definitely use the wildcard as an object, in the * .shadowserver.org format.

If you block the botnet you must enable IPS on your policy with the VIP:

botnet-c-c-ip-blocking 

 

I suggest to you to pay and enable FortiGuard services.