Greetings,
I've just moved over to an MX250 as our core firewall. I'm looking to see if there is a better way to block incoming IP addresses aside from individual L7 rules denying IP/32? I get a lot of attempts against our Exchange Server, as it is public facing. I'd like to take the daily list of IPs and enter them all together, versus separate line items. With my SonicWALL, I simply created a group called Risk Address and added IPs to it. Since incoming from Risk Address was blocked, any added to that group was automatically blocked. Within Threat Protection, I do have Intrusion Detection at Detection and Balanced, as I wanted to get a feel for how it was working. I did see one topic in the community, but it appeared that the answer actually was blocking outgoing to the IPs, not incoming.
Any assistance would be greatly appreciated.
Thank you,
Jeremy
You can actually specify a list of IP addresses and ranges in the remote IPs field of port forwarding and 1-to-1 NAT.
More info here:
Apart from that I think the L7 and L3 firewall are for outgoing connections, but I read conflicting info so I'd have to test to be sure. Perhaps someone will comment on that point.
I tend to use Content Filtering for doing the automated blocking. You could use categories like:
Bot Nets
Malware Sites
Confirmed SPAM Sources
These are dynamically updating lists.
Better yet .... move to Office 365 and get rid of the problem all together. 🙂
@PhilipDAth wrote:I tend to use Content Filtering for doing the automated blocking. You could use categories like:
Bot Nets
Malware Sites
Confirmed SPAM Sources
These are dynamically updating lists.
Better yet .... move to Office 365 and get rid of the problem all together. 🙂
@PhilipDAth does that apply to incoming connections over port forwarding/1-to-1 NAT too? I was wondering about that.
Now that you say that - I'm not 100% sure.
I have a customer that only has servers behind an MX in a DC. The servers seldom make outbound connections. I am mostly using 1:1 NAT.
Their security centre shows a heap of activity.
Specifically, these are mostly web servers. They just listen for inbound http/https connections.