Re: Question about deny policies and sessions
Hi, and welcome to the forums.
As long you doesn't have Vips, nor wan-lan policies, it makes no sense to create a wan-lan block policy.
If you want to protect the access FROM these Ips to the Fortigate it self, you have to deal with local-in policies.
If you want to protect your clients and deny access to these ips, you create a denied policy at top of lan to wan. Source is any (or your client subnet) and destination your ip block list, as you guess right.