Hot!Question on BANIP and possible workaround

Author
Scott Cuff
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2007/08/09 08:20:11
  • Status: offline
2020/11/30 19:14:11 (permalink)
0

Question on BANIP and possible workaround

Hi:
I have a FG500E.  In a very short time I see about 200,000 blocked (deny policy connections) and 30,000 failed connections.
I created Dos Policies and used the cli to add a 1 year ban to any IP attempting Anomaly attacks.  This works great.  Secondly  too my protect_http_server I changed many signatures to Ban IP.   This works great too.   When I go Fortiview Sources I can only see a list of my own local IPs and I don't want to ban them.  As a result I have no way to Ban blatant attackers.
I can easily see IPs checking every last IP on every port etc.  but do not know how to put an end to them.  My normal sessions can easily grow from 2500 to 8000 with these jokers.  I see on the menu  IP4 Access Control List .   I just want to understand if I understand how it works.   If I watch my Forticloud Logs and see IPs I want stopped - can I make an address Hackerx  IP# Wan1 and then add all the Hackers to a group and then setup an IP access list  select Wan1 , the source address to the hacker Group and then all all to destination and service -  will this effectively ban ever IP in the hacker Group ?  
 
This is a fair bit of effort but I would sooner ferret these guys out before they find some vulnerability.   If I understand the access Control List incorrectly then is there any other method to lock out known blatant attackers?   I do already use Countries in policies and this also helps a lot.  I usually start wan1 to any interface with a policy  deny all to China and Russia  the two worst perpetrators.  I tend to have to allow USA and Canada   but the US also has a lot of hack attempts.
 
 
Thanks,
Scott
#1

1 Reply Related Threads

    Scott Cuff
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2007/08/09 08:20:11
    • Status: offline
    Re: Question on BANIP and possible workaround 2020/12/09 18:00:40 (permalink)
    0
    Thought I would answer this myself.   I went ahead and studied my FortiCloud logs  - the main threat is from Blocked connection attempts.  (160,000 logged in 1 hour)
    To block with ipv4 access control list:
    I made 32 addresses from the Top culprits.  Each address is Wan1 and the IP (I use the entire C class x.x.x.o/24   I added all these to a Group.  I made a IPv4 Access Control List selected Wan1, my group of 32 hackers as the source and then all all deny.  After a couple of days I have 11,000,000 packets dropped.  My sessions are way down as well.  This was a bit of effort.    Even though I had to go to the CLI I have made any Anomoly broached become an automatic 1 year ban and any IPS attacks I see I go in and added that attack signature to my profile and change it from Block to Quarantine.  I have blocked and quarantined 75 DOS attacks and 600 IPS breached signature attacks in a few days.
     
    I still do not understand why Fortinet does not make a simple interface to Ban any IP I want?
     
    #2
    Jump to:
    © 2021 APG vNext Commercial Version 5.5