FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mattchow_FTNT
Article Id 191338
Description
This article describes how to use access control list to avoid VPN generate log for IPSec blocked IP.

Solution
Partial packet flow ingress as shown below:





Access control list will be dropping the packet before it reach IPsec VPN decryption process, so no repeated VPN log can be seen for those IP blocked by access control list.

Sample configuration:

To block VPN traffic from particular IP address trying to reach from WAN from CLI:
# config firewall acl
    edit 1
       set interface "WAN"
       set srcaddr "block_ip"
       set dstaddr "wan_interface_ip"
       set service "udp_500_4500"
    next
end

*block_ip              <----- IP addresses trying to establish the IPsec from outside.
*wan_interface_ip 
<----- IPsec listening interface IP.
*udp_500_4500    
<----- IPsec service port udp 500 and udp 4500.

Important Notice:

ACL is supported on the following FortiGate models:
- 100D, 100E, 100EF, 101E
- 140D, 140D-POE, 140E, 140E-POE
- 1200D, 1500D, 1500DT
- 3000D, 3100D, 3200D, 3700D, 3800D, 3810D, 3815D
- All 300E and larger E-series models
- All 100F and larger F-series models

References:

Access Control Lists(ACLs).

Contributors