Hot!Question about deny policies and sessions

Author
Frogginbullfish
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/09/24 00:00:32
  • Status: offline
2020/09/24 00:17:25 (permalink)
0

Question about deny policies and sessions

Hi, I am working with a bunch of Fortigates that only have outgoing policies from LAN to WAN. I was thinking about using IP list threat feeds for an extra layer of security. I thought I would insert a policy at the top, but would I put the IP block list as src IP or dest IP? Is there a point in creating a src block policy from the internet when there are no policies that accept traffic from the internet (i.e. I have no servers/VIPs). For example, if a user created a session with a malicious IP, that wouldn't checked by any WAN->LAN policies on the way back right? Thus I would need to create policies with the IP block lists as dest?

This might be a dumb question, but I just want to be sure :) 
#1

3 Replies Related Threads

    Markus
    Expert Member
    • Total Posts : 271
    • Scores: 47
    • Reward points: 0
    • Joined: 2015/03/19 07:30:23
    • Location: Switzerland
    • Status: offline
    Re: Question about deny policies and sessions 2020/09/24 02:37:45 (permalink)
    0
    Hi, and welcome to the forums.
    As long you doesn't have Vips, nor wan-lan policies, it makes no sense to create a wan-lan block policy.
    If you want to protect the access FROM these Ips to the Fortigate it self, you have to deal with local-in policies.
    If you want to protect your clients and deny access to these ips, you create a denied policy at top of lan to wan. Source is any (or your client subnet) and destination your ip block list, as you guess right.
    #2
    Frogginbullfish
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/09/24 00:00:32
    • Status: offline
    Re: Question about deny policies and sessions 2020/09/25 00:01:00 (permalink)
    0
    Thanks very much for confirming - I just had to be sure. I am still fairly new to this game as you might have guessed! I didn't know about the local-in policies either, so thanks for mentioning those. The more you know.
    #3
    Markus
    Expert Member
    • Total Posts : 271
    • Scores: 47
    • Reward points: 0
    • Joined: 2015/03/19 07:30:23
    • Location: Switzerland
    • Status: offline
    Re: Question about deny policies and sessions 2020/09/25 01:38:36 (permalink)
    0
    No prob, glad to help. For local-in you have to enable the feature in system->feature visibility, to see it in the gui.
    But creating and managing local-in policies, this is only possible in cli.
    Another thing is also, if your blocking policy won't work, you have maybe to enable set match-vip enable in cli.
    #4
    Jump to:
    © 2020 APG vNext Commercial Version 5.5