Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gakshay
Staff
Staff

Created on ‎04-26-2021 12:26 AM Edited on ‎02-01-2024 12:28 AM By Community Manager

Article Id 192101

Technical Tip: Procedure to block the suspicious application traffic to Internal web server

Description

 

This article describes the procedure to block the suspicious application traffic to the internal web server.

 

Scope

 

FortiGate.

Solution


If VIP has been created for accessing the internal server.

To block the Proxy/Third party VPN applications/Phishing/Malicious related traffic to reaching the firewall,it is possible to block the traffic matching the above mentioned Categories by mapping ISDB to the IPV4 Policy.

Refer to the policy configuration performed:

 

From CLI:

 

config firewall policy
    edit 1
        set status enable
        set name "in-bound_malicious"
        set uuid 98f63964-a135-51eb-9181-811ac88df443
        set srcintf "virtual-wan-link"      <----- WAN/SDWAN
        set dstintf "port2"      <----- LAN.
        set dstaddr "botnet"     <----- VIP Object Configured.
        set internet-service disable
        set internet-service-src enable
        set internet-service-src-name "Botnet-C&C.Server" "Phishing-Phishing.Server" "Proxy-Proxy.Server" "Spam-Spamming.Server" "Tor-Relay.Node" "Tor-Exit.Node" "Malicious-Malicious.Server"
        unset reputation-minimum
        set rtp-nat disable
        set action deny
        set schedule "always"
        set schedule-timeout disable
        set service "HTTP" "HTTPS"
        set tos-mask 0x00
        set anti-replay enable
        set logtraffic disable
        set logtraffic-start disable
        set session-ttl 0
        set vlan-cos-fwd 255
        set vlan-cos-rev 255
        set wccp disable
        set natip 0.0.0.0 0.0.0.0
        set tcp-mss-sender 0
        set tcp-mss-receiver 0
        set comments ''
        set block-notification disable
        set replacemsg-override-group ''
        set dstaddr-negate disable
        set service-negate disable
        set internet-service-src-negate disable
        set captive-portal-exempt disable
        set dsri disable
        set radius-mac-auth-bypass disable
        set delay-tcp-npu-session disable
        unset vlan-filter
        set send-deny-packet disable
        set match-vip disable
    next
end

 

From GUI: 

Path: Policy & objects -> firewall policy and select 'Create new '.

 

Screenshot 2024-02-01 115352.png

NOTE.
If the suspicious IP address is part of our ISDB then it is possible to block it.
Check the same by executing:

 

diag internet-service match root <ip address> <subnet mask>
config firewall internet-service <internet service>
get

 

For example:
The suspicious IP is 103.28.121.58 and it would get blocked as it is part of ISDB.

 

diag internet-service match root 103.28.121.58 255.255.255.255

Internet Service: 3014850 (Proxy-Proxy.Server), matched in: 2

# config firewall internet-service 3014850
# get
id : 3014850
name : Proxy-Proxy.Server
reputation : 2
icon-id : 594
sld-id : 1
direction : both
database : irdb
ip-range-number : 20622
extra-ip-range-number: 0
ip-number : 22289
singularity : 85
obsolete : 0                       

5189
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.