Helpful ReplyHot!Blocking external IP addresses

Author
Okabe
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/02/22 20:19:42
  • Status: offline
2016/02/22 21:48:47 (permalink)
0

Blocking external IP addresses

Dear All,
 
I'm new to Fortigate and new to the forum. Anyway, I have a problem configuring policies for blocking unwanted access from some external/malicious IP addresses.
Here's what I did.
 
config firewall policy
    edit 4
        set uuid 10be693f-5610-45a9-bebc-c27bd394177f
        set srcintf "any"
        set dstintf "any"
        set srcaddr "group-blacklist"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
end

 
 
I have put the policy on top of the list. However, when I tried accessing my FW from blocked IP address, it still can go through and no traffic were recorded to the policy log. Am I missing any steps or is there any other way? Thank you guys.
 
Fortigate 60D
v5.2.6,build711 (GA)
post edited by Okabe - 2016/02/23 01:56:23
#1
Nils
Silver Member
  • Total Posts : 89
  • Scores: 10
  • Reward points: 0
  • Joined: 2016/01/26 00:04:58
  • Location: Sweden
  • Status: offline
Re: Blocking external IP addresses 2016/02/23 06:59:16 (permalink)
0
You need to do the "set action deny".
And try to specify the source and destination-interface, that's best practice.
#2
Okabe
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/02/22 20:19:42
  • Status: offline
Re: Blocking external IP addresses 2016/02/23 18:32:52 (permalink)
0
I did set the action to deny. In my case, I want to block external IP addresses from accessing my WAN interface. How do I set the source interface and destination interface? Is there an access control list to do that or am I missing anything? Thanks.
#3
Ian Harrison
Bronze Member
  • Total Posts : 33
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/11/18 05:51:04
  • Location: Oxford
  • Status: offline
Re: Blocking external IP addresses 2016/03/01 03:54:20 (permalink)
0
Hi
I had the same problem v5.2.6 , in the end the fix was not to set the dstaddr to all but to specify each of the VIPS.  Once I did that the external IP address was blocked and I could see the entries in the log
 
Hope that helps
 
Ian
#4
ede_pfau
Expert Member
  • Total Posts : 5929
  • Scores: 466
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: Blocking external IP addresses 2016/03/01 04:19:56 (permalink) ☄ Helpfulby tclark 2016/03/03 16:29:55
5 (2)
This is not about VIPs but administrative access to the FGT, right?
You can do 2 different things:
1- only allow certain public IPs to access the FGT (white listing) - go to System>Admin>myadmin>TrustedHosts
2- create a local-in policy which uses a predefined custom address group as source address(es). Local-in policies are only managed in the CLI.

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#5
CodeTron
New Member
  • Total Posts : 13
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/04/04 01:54:33
  • Status: offline
Re: Blocking external IP addresses 2017/04/22 02:15:10 (permalink)
0
What is the best way to block an external IP trying to connect to services like IKE ?
I tried to create the following policy with no luck! : 
Incoming interface WAN1
Outgoing interface? (IPSEC_VPN or Internal, or ....?) tried both
Source IP address: is set to mach the range of IP that I want to block
Destination addres : is set to all
Service: all
Sechule: always
Action: Deny
The policy is placed at the very top
 
Also I tried to config the Local-In_policy as follows
 
Edit 1
set intf WAN1set srcaddr <Group_of_blocked_addresses>set dstaddr <All>set service <IKE>set schedule <Always>
 
I tried to set the action to deny but it wont accept it!
 
Any ideas how this is accomplished!! I came from Juniper and denying external IP's was not a project! 
 
Forgot to mention that I limited access to the device by setting the trusted sources to my internal IPs in the admin section to enhance the device security. 
 
Thank you
 
post edited by SamH - 2017/04/22 02:18:42
#6
CodeTron
New Member
  • Total Posts : 13
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/04/04 01:54:33
  • Status: offline
Re: Blocking external IP addresses 2017/05/02 03:00:03 (permalink)
0
I did try the Local-in policy but it did not allow me to set the action to deny !!!
Any thoughts?
 
Thank you
#7
Sunil Panchal_NSE4
Bronze Member
  • Total Posts : 35
  • Scores: 1
  • Reward points: 0
  • Joined: 2016/03/19 22:18:58
  • Status: offline
Re: Blocking external IP addresses 2017/05/02 03:31:25 (permalink)
0
Dear friend ,
 
       there is simple solution to block ip to access WAN from outside just go to policy and Object and create address put you geographical address .
and put at source of policy which is access you wan from out .
It will block all world accept you region and if know the exactly the public IP address of you device to access the system then do same procedure an put them in to source of wan policy only that publi IP will able to access that device .
 
thank you 
with regards
 
 
 
Top World Networks Co.
شركة توب وورد نت ووركس
 
 
Sunil Panchal
IT Security Engineer
 
T: +965-2244 5419/391  | M: +965-6969 1505
F: +965-2246 7519          | E: sunil@topwnet.com
W: www.topwnet.com
 
PSave a tree! Don't print this e-mail unless it's really necessary.
 
#8
alexis_l
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/04/22 09:43:32
  • Status: offline
Re: Blocking external IP addresses 2017/05/18 11:29:47 (permalink)
0
Hi,
 
Did you find a solution to this problem? I have the same issue i can understand what is the reason
 
Thank you
#9
tanr
Platinum Member
  • Total Posts : 650
  • Scores: 25
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
Re: Blocking external IP addresses 2017/05/19 13:31:24 (permalink)
5 (1)
@SamH, local-in policy is the way to go for blocking access to the FGT itself from specific IPs.  Are you sure the FGT didn't allow you to set action to deny? Did it give you an error?  Remember that local-in policy action is "deny" by default, so since running a show command won't display any default values it wouldn't show up.  What does "show full" give you for the local-in policy?
 
Also, assuming the issue is these specific IPs trying to access the FGT's wan ports, do you need to have admin access on the wan ports?  Unless you really need it, your wan interfaces should have all administrative access turned off.  And if you do need it, as ede_pfau suggested, it's best to only allow specific trusted hosts.
#10
alexis_l
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/04/22 09:43:32
  • Status: offline
Re: Blocking external IP addresses 2017/05/19 23:32:44 (permalink)
0
Since yesterday that i applied the local-in-policy as suggested it worked and for me at least the device allow me to set the action to deny with out any problems.
 
Thank you
#11
RichSharp
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/04/24 14:02:09
  • Status: offline
Re: Blocking external IP addresses 2019/04/24 14:04:48 (permalink)
0
I have the same issue.  Can anyone out there help>??
#12
Jump to:
© 2019 APG vNext Commercial Version 5.5