IP ban
The FortiGate IP ban feature is a powerful tool for network security. It allows the system to block traffic originating from specific IP addresses that are deemed potentially harmful by the system administrator.
When an IP address is banned, any active connections originating from the banned IP address are immediately terminated. Any subsequent connection attempts are rejected by the Kernel’s packet filter, further fortifying the network’s security.
Checks for IP bans are carried out only if there is a corresponding firewall policy with an ACCEPT action. If a match is found, the action is then altered to DENY. In scenarios where there is no matching policy, the connection is refused due to the implicit deny rule that is in effect. |
Several methods can be used to ban IP addresses:
-
FortiView Source: This method allows you to ban an IP address directly from the FortiView Sources monitor. See To ban an IP address for more information.
-
IP ban: Administrators can configure an automation stitch with the IP Ban action, using a trigger such as a Compromised Host or an Incoming Webhook. When the automation is triggered, the client PC is quarantined. See Actions and Incoming Webhook Quarantine stitch for more information. The Automation Stitch feature can also be used to configure IP bans from other fabric devices.
-
Command line interface (CLI): For those who prefer using command line, IP ban can be added with the CLI. See IP ban using the CLI for more information.
-
Security profiles: Most security profiles include a mechanism to ban a source IP address. See IP ban using security profiles for more information.
-
DoS policy: A Denial of Service (DoS) policy can be used to block any further traffic from a source IP address that is considered a malicious actor. See DoS policy for more information.
Additionally, administrators can control whether the banned IP list remains intact through a power cycle. See Configuring the persistency for a banned IP list for more information.