Thanks. What would be the src and dst interface for the Firewall policy?
I am using Vlan interface for my Public IP.
If you’re looking to just block both rules interfaces would be set to any any and set to deny. But you could have like inside and outside if you only have a couple zones. There are some isdb that can only be src or dst though. So you have one deny policy where the isdb are src, and another where they are the dst. Here is an isdb example using Netflix, blocking outbound.
I already have inside to outside ISDB rule set to deny to all the bad sites etc. I already have ISDB set to deny from outside to DMZ.
The only ambiguity is the right rule for SSL VPN.
If its like this.
Src= Any Dst=WAN interface and ISDB deny.
Yeah looks like that is not possible. We should get people to do a feature request for that as it would increase sslvpn security .
I found this about using a VIP with a loopback which will work, however there will be a drastic performance hit as loopback doesn’t support some of the hardware offload capabilities. HTH clarify
https://www.reddit.com/r/fortinet/comments/10g4akb/block_sslvpn_access_using_isdb_as_source_in_vpn/
For your dmz rule make sure you have match VIP checked in the rule otherwise it won’t protect your dmz virtual IPs.
Yes that was my point as well. Also they only provide to block only one IP under ssl settings which is bad. Atleast they should have allowed group object so that we can block more than one IP.
Yes having this feature will help alot specially when outside threats are increasing.
That’s why I mention about using geo IP even if it’s 20 countries you can just allow those, leave out those countries that originate a lot of spam if possible and it will help cutdown the noise especially if you only have your home country allowed.
Agree but I can see abuse IP from US location as well. Also some Europe countries so Geo blocking US and Europe countries will block access to legitimate user as well.
Yeah but there’s a lot of noise you can filter out if you only allowed EU and US for example. Good luck