Hot!Block external ip's from reaching VPN ports

Author
jlax
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/12/19 02:21:31
  • Status: offline
2018/12/19 02:40:29 (permalink)
0

Block external ip's from reaching VPN ports

Hi!
Fortigate 60D with 5.6.7
 
I have a some malicious attempts to connect to VPN/IPSec and I would like these ip addresses blocked before reaching ports 500 and 4500.
How can I block/deny certain ip addresses? I have tried Local-In policy but it does not seem to have an affect when I try myself from an external host. Is Local-In policy able to block like I want and is config correct (see attched photo)?
 
Thanks!
 
Regards
Jlax

Attached Image(s)

#1
ede_pfau
Expert Member
  • Total Posts : 6028
  • Scores: 480
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: Block external ip's from reaching VPN ports 2018/12/19 04:31:08 (permalink)
0
That's what I do, and it does have an effect:
config firewall local-in-policy
    edit 1
        set intf "wan1"
        set srcaddr "VPN_origin_countries"
        set dstaddr "all"
        set action accept
        set service "IKE"
        set schedule "always"
    next
    edit 2
        set intf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set service "IKE"
        set schedule "always"
    next
end
It uses whitelisting which is easier for me as I don't have to collect bad addresses in the first place. Be sure to deny-all (policy2) one specific service only, or you will lose remote access etc.

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#2
jlax
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/12/19 02:21:31
  • Status: offline
Re: Block external ip's from reaching VPN ports 2018/12/19 05:03:32 (permalink)
0
If I do a whitelist instead then I have to populate ip's from all Forticlient users?
Thanks again!
#3
jlax
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/12/19 02:21:31
  • Status: offline
Re: Block external ip's from reaching VPN ports 2018/12/19 06:00:11 (permalink)
0
I have tried your whitelist and it sure works. I might use that :)
 
Thanks!
#4
Jump to:
© 2019 APG vNext Commercial Version 5.5