Hot!Block external IP addresses

Author
philv
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/04/11 12:54:00
  • Status: offline
2019/04/11 13:22:47 (permalink)
0

Block external IP addresses

Dear Techies,
I'm new to Fortigate and new to the forum. Anyway, I have a problem configuring policies for blocking unwanted access from some external/malicious IP addresses.
Here's what I did.
==
GBSP-FW1 # sh firewall policy 103
config firewall policy
    edit 103
        set name "WAN to LAN"
        set uuid 76f191b8-5c56-51e9-9c22-4672edcc21a6
        set srcintf "wan1_outside-interface" "wan2_outside-interface"
        set dstintf "port1_inside-interface"
        set srcaddr "GROUP-Block-Countries"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set fsso disable
    next
end
Action is set to "DENY" (through the GUI)
Log Violation Traffic - enabled
Enable this policy - enabled
==
With in the "GROUP-Block-Countries" group.
config firewall address
    edit "BC - China"
        set uuid cd09f5ba-5c54-51e9-a7ac-48d279294f0c
        set type geography
        set color 25
        set country "CN"
    next
    edit "BC - Russia"
        set uuid f5fb6106-5c55-51e9-2946-f2aba7123c50
        set type geography
        set color 25
        set country "RU"
    next
    edit "BC - South Korea"
        set uuid 6a6eb5b4-5c57-51e9-3125-870fd87fe86a
        set type geography
        set color 25
        set country "KR"
    next
    edit "BC - Ecuador"
        set uuid 9d6540b4-5c61-51e9-0b4a-1148a4f24cdb
        set type geography
        set color 25
        set country "EC"
    next
    edit "BC - United Kingdom - 81.94.192.0/20"
        set uuid 366a8746-5c63-51e9-72f7-2d7cee735d2f
        set color 25
        set subnet 81.94.192.0 255.255.240.0
    next
    edit "BC - United States - 70.224.0.0/17"
        set uuid f47650fc-5c64-51e9-5bec-3ce96a95b35c
        set color 25
        set subnet 70.224.0.0 255.255.128.0
    next
    edit "BC - United States - 137.139.0.0/16"
        set uuid b4eb494e-5c67-51e9-42ac-36d9851b84e2
        set color 25
        set subnet 137.139.0.0 255.255.0.0
    next
    edit "BC - United States - 21.0.0.0/8"
        set uuid b4f7fd92-5c67-51e9-94eb-798bb2186b0d
        set color 25
        set subnet 21.0.0.0 255.0.0.0
    next
end
==
 
I have put the policy at the very top of the list. However, when I try accessing FortiGate from a blocked IP address (from home), I can still can ping, and get through and no traffic were recorded to the policy log.
Am I missing any steps or is there any other way? 
Any help would be appreciated.
Thank you guys.
 
Fortigate 100E
v6.0.3 build0200 (GA)
 
#1

12 Replies Related Threads

    andre.amaro
    New Member
    • Total Posts : 10
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/02/05 10:17:52
    • Status: offline
    Re: Block external IP addresses 2019/04/11 13:41:11 (permalink)
    0
    Hello philv,
     
    I do not understand exactly what you want to do. Do you want to block a specific IP that accesses your environment or prevent access to firewall management over the internet?
    #2
    philv
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/04/11 12:54:00
    • Status: offline
    Re: Block external IP addresses 2019/04/11 13:50:50 (permalink)
    0
    I'm simply trying to block China, Russia, external IP's, etc. from pinging, accessing our website, accessing any ports. Or getting through our firewall.
     
    Thanks for the quick reply...
    #3
    seadave
    Platinum Member
    • Total Posts : 314
    • Scores: 45
    • Reward points: 0
    • Joined: 2004/11/03 18:02:09
    • Location: Seattle, WA
    • Status: offline
    Re: Block external IP addresses 2019/04/11 19:57:19 (permalink)
    4 (1)
    We create an Address Group called Block_Countries_In (we also have one for outbound).
    We add GEO Addresses to that Group.  It is always good to keep your groups of the same type.  Don't mix, FQDNs, GEOs, etc.  I think that might be your issue.  Create two unique groups, maybe even two polices.  One for GEO and one for Subnets.  Make them your first policies or near the top of your rule set.
    Here is our show full policy (we are on 6.0.3) for our GEO block rule:
     
     
    config firewall policy
    edit 27
    set name "In WAN1 - Deny GEO"
    set uuid d0b57172-a271-51e4-867d-3eaf7fdb3219
    set srcintf "port9" <----- This is WAN
    set dstintf "port1"  <------This is LAN
    set srcaddr "Block_Countries_In"
    set dstaddr "all"
    set internet-service disable
    set rtp-nat disable
    set learning-mode disable
    set action deny
    set status enable
    set schedule "always"
    set schedule-timeout disable
    set service "ALL"
    set dscp-match disable
    set logtraffic all
    set logtraffic-start disable
    set np-accelation enable
    set session-ttl 0
    set vlan-cos-fwd 255
    set vlan-cos-rev 255
    set wccp disable
    set natip 0.0.0.0 0.0.0.0
    set diffserv-forward disable
    set diffserv-reverse disable
    set tcp-mss-sender 0
    set tcp-mss-receiver 0
    set comments ''
    set block-notification disable
    set replacemsg-override-group ''
    set srcaddr-negate disable
    set dstaddr-negate disable
    set service-negate disable
    set captive-portal-exempt disable
    set ssl-mirror disable
    set scan-botnet-connections disable
    set dsri disable
    set radius-mac-auth-bypass disable
    set delay-tcp-npu-session disable
    set send-deny-packet disable
    set match-vip enable
    next
    end
     
    We do the opposite for traffic outbound to hostile nations.  You need both to be secure.  Of course IPs can be spoofed, but like you said, this cuts out a lot of the chaff and scan bots that are always knocking.
    #4
    TecnetRuss
    New Member
    • Total Posts : 7
    • Scores: 2
    • Reward points: 0
    • Joined: 2017/02/27 13:14:44
    • Status: offline
    Re: Block external IP addresses 2019/04/11 21:17:51 (permalink)
    5 (1)
    The reason it isn't working, and this is not intuitive, is that for NAT WAN to LAN policies the destination has to be a VIP even for Deny rules (destination = any won't work) unless you use the "set match-vip enable" setting as shown in SeaDave's config.
     
    So, you can either change your Destination from "any" to the VIPs you want to block from receiving this traffic, or you can add "set match-vip enable" to your policy.
     
    Russ
    #5
    sw2090
    Gold Member
    • Total Posts : 327
    • Scores: 20
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: Block external IP addresses 2019/04/12 01:47:05 (permalink)
    0
    In addition to Russ:
     
    also keep an eye on the order of your WAN to LAN Policies because policies are checkt in this order and the first one that matches the packet wins it meanig any policy coming behind that policy will not be hit!
    #6
    ede_pfau
    Expert Member
    • Total Posts : 5961
    • Scores: 468
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Block external IP addresses 2019/04/12 04:30:09 (permalink)
    0
    and lastly:
    to protect the FGT itself, create Local-In policies with these address groups. Will control access to all open service ports like HTTPS, SSH, SSLVPN, IPsec.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #7
    philv
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/04/11 12:54:00
    • Status: offline
    Re: Block external IP addresses 2019/04/12 05:29:18 (permalink)
    0
    Thanks, I'll try this... I'll let you know how it goes.
    #8
    philv
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/04/11 12:54:00
    • Status: offline
    Re: Block external IP addresses 2019/04/12 08:24:06 (permalink)
    0
    YESSSS! IT WORKED!!!
     
    I didn't want chosen countries accessing my network... And your solution worked, thanks seadave.
    This was what I was looking for.
     
    I created separate unique address groups as you mentioned.
    Block_Countries_In
    Block_IPRange_In
    Block_Subnets_In
    ==
    And created separate unique firewall policies, and moved to the top, top of my rule set....
    "In WAN1 - Deny GEO"
    "In WAN1 - Deny SUBNETS"
    "In WAN1 - Deny IPRange"
     
    I'm beginning to see traffic being recorded to the policy log. See attachment...
     
    It already blocked the following:
    77.40.38.239 (Russia) attempting to use application SMTP
    118.40.248.5 (South Korea) using application RDP
    163.172.89.23 (France) using application HTTP, HTTPS
    60.191.38.77 (China) attempting to use application HTTP, HTTPS
     
    It also worked for "In WAN1 - Deny IPRange". I tried my home IP, and it worked. However, I'm still able to ping the firewall from home. Is there away to block pinging from specified countries and IP's?
     
    And lastly, ede_pfau mentioned the following:
    "to protect the FGT itself, create Local-In policies with these address groups. Will control access to all open service ports like HTTPS, SSH, SSLVPN, IPsec."
     
    How do I do this? What are the CLI commands?
     
    Thanks
    ==
     

    Attached Image(s)

    #9
    ede_pfau
    Expert Member
    • Total Posts : 5961
    • Scores: 468
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Block external IP addresses 2019/04/12 09:26:35 (permalink)
    0
    That is available in the GUI as well, if you make it visible:
    System > Feature Vis. > (right column) Local In policies
     
    Ping to the FGT belongs to the services a FGT offers, so you can block it via Local In policy. As well as IPsec, SSLVPN, CAPWAP, telnet, ssh, HTTPS...

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #10
    philv
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/04/11 12:54:00
    • Status: offline
    Re: Block external IP addresses 2019/04/12 12:25:32 (permalink)
    0
    I finally see Local In Policy
    I see the following:
    Administrative access
    Authentication
    and more...
     
    However, I don't see where I can edit the local-in policy, as you mentioned.
    Remember, I'm new to Fortinet firewalls. What is the next step? Do I use CLI commands? And if so, can someone display how to use Local In policy to block external IP address using Block_Countries_In address group?
     
    Thanks
    #11
    ede_pfau
    Expert Member
    • Total Posts : 5961
    • Scores: 468
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Block external IP addresses 2019/04/14 04:33:28 (permalink)
    0
    config firewall local-in-policy
        edit 3
            set intf "wan1"
            set srcaddr "Kabelnetz"
            set dstaddr "all"
            set service "ALL"
            set schedule "always"
        next
        edit 1
            set intf "wan1"
            set srcaddr "VPN_origin_countries"
            set dstaddr "all"
            set action accept
            set service "IKE"
            set schedule "always"
        next
        edit 2
            set intf "wan1"
            set srcaddr "all"
            set dstaddr "all"
            set service "IKE"
            set schedule "always"
        next
    end

    Here is an example of local-in DENY policies.
    1) I deny all connections from "Kabelnetz" which is 37.0.0.0/8.
    2) I allow IPsec traffic from _some_ countries, and
    3) block it from all other countries.
     
    Whitelisting was easier in my case.
    Contrary to regular policies, you cannot negate addresses in local-in policies.
    Use "set comment" to your liking.
     
    You will have to use CLI to define your own local-in policies, and they don't show up in the GUI. (Another feature request...)

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #12
    philv
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/04/11 12:54:00
    • Status: offline
    Re: Block external IP addresses 2019/04/15 06:31:14 (permalink)
    0
    I've entered the following:
    FORTINET1 # sh firewall local-in-policy    
    config firewall local-in-policy
        edit 1
            set intf "wan1"
            set srcaddr "VPN_Allow_Countries"
            set dstaddr "all"
            set action accept
            set service "IKE"
            set schedule "always"
        next
        edit 2
            set intf "wan1"
            set srcaddr "all"
            set dstaddr "all"
            set service "IKE"
            set schedule "always"
        next
        edit 3
            set intf "wan1"
            set srcaddr "Block_Countries_In"
            set dstaddr "all"
            set service "ALL"
            set schedule "always"
        next
    end

    FORTINET1 #
    FORTINET1 #
    It seems to be working so far.
     
    Is there a way, to view this in the "Log & Reports"?
     
    Thanks
     
     
     
    #13
    Jump to:
    © 2019 APG vNext Commercial Version 5.5