Many times there is more than one solution to the problem, and the most obvious is not the best one. I
reminded myself this when came to my care Fortigate 60 unit that was periodically blocking traffic,
you know this not-saying-much system alert "..has reached connection limit" and then no traffic goes from LAN to WAN.
Clearly being a resource starvation issue by users you may never know for sure what causes this
. The only way to pinpoint the misbehaving component is by elimination - disabling one by one until problem disappears. So for this
particular Fortigate it was URL-filtering used to block access to Facebook.com. Unfortunately once this
disabled users in LAN would cause starvation of the bandwidth by accessing (or rather not leaving) this
website. An internal fair use policy issue ? - yes of course, but the only way to implement the policy
was by force in this case. So if not URL-filtering (being the obvious solution) then black-hole routing would
be the better one I thought - but in this FG OS 3 i didnt find such option, and as upgrade to Fortios 4 wasnt
an option I blackholed Facebook.com IP range (thanks to Facebook for the convenience of continuous IP
range ) in the WAN facing Cisco router.
In the Fortigate FortiOS 4 and newer you can configure blackhole routing with no hassle:
FG100 # config router static FG100 (static) # edit 5 FG100 (5) # set blackhole ? disable disable setting enable enable setting FG100 (5) # set blackhole enable FG100 (5) # set dst 184.108.40.206/20 FG100 (5) # end
FG100 # show router static config router static edit 5 set blackhole enable set dst 220.127.116.11 255.255.240.0 next end
From station in LAN:
# ping 18.104.22.168
PING 22.214.171.124 (126.96.36.199) 56(84) bytes of data. From 10.99.99.254 icmp_seq=1 Destination Net Unreachable From 10.99.99.254 icmp_seq=2 Destination Net Unreachable
Facebook IP range:
[Querying whois.arin.net] [whois.arin.net] OrgName: Facebook, Inc. OrgID: THEFA-3 Address: 156 University Ave, 3rd floor City: Palo Alto StateProv: CA PostalCode: 94301 Country: US NetRange: 188.8.131.52 - 184.108.40.206 CIDR: 220.127.116.11/20
Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.