Question on BANIP and possible workaround
I have a FG500E. In a very short time I see about 200,000 blocked (deny policy connections) and 30,000 failed connections.
I created Dos Policies and used the cli to add a 1 year ban to any IP attempting Anomaly attacks. This works great. Secondly too my protect_http_server I changed many signatures to Ban IP. This works great too. When I go Fortiview Sources I can only see a list of my own local IPs and I don't want to ban them. As a result I have no way to Ban blatant attackers.
I can easily see IPs checking every last IP on every port etc. but do not know how to put an end to them. My normal sessions can easily grow from 2500 to 8000 with these jokers. I see on the menu IP4 Access Control List . I just want to understand if I understand how it works. If I watch my Forticloud Logs and see IPs I want stopped - can I make an address Hackerx IP# Wan1 and then add all the Hackers to a group and then setup an IP access list select Wan1 , the source address to the hacker Group and then all all to destination and service - will this effectively ban ever IP in the hacker Group ?
This is a fair bit of effort but I would sooner ferret these guys out before they find some vulnerability. If I understand the access Control List incorrectly then is there any other method to lock out known blatant attackers? I do already use Countries in policies and this also helps a lot. I usually start wan1 to any interface with a policy deny all to China and Russia the two worst perpetrators. I tend to have to allow USA and Canada but the US also has a lot of hack attempts.