Technical Tip: How to block specific external (public) IP address via IPv4 policy

Description

This article explains how to block some of the specific public IP address to enter the internal network of the FortiGate to protect the internal network.

Solution

Step1: Create an address object

Go to Policy & Objects -> Addresses
Click on ‘create new’ and ‘Address’

Category: Address
Name: Provide any name
Type: Subnet
Subnet / IP Range :   x.x.x.x/32   where x.x.x.x is the  specific public IP it is required to block
                                  x.x.x.x/24   where x.x.x.x is the subnet it is required to block and /24 is the subnet

Interface: Any
Click on ‘OK’ to apply the changes Step2: Create IPv4 Policy

Go to Policy & Objects -> IPv4 policy
Click on ‘create new ‘
Name: Provide any name
Incoming interface: WAN interface
Outgoing interface: LAN interface
Source: Select the address object, created above.
Destination: set it to “all”
Schedule: Always
Services: All
Action: Deny
NAT: Enable
Security Profiles:
Enable IPS
 Click on ‘OK’ and place this policy to the top of the IPv4 policy list (by drag and drop) from the ID column.