Black hole routing to the rescue - Fortigate OS 4 surprise

Many times there is more than one solution to the problem, and the most obvious is not the best one. I reminded myself this when came to my care Fortigate 60 unit that was periodically blocking traffic, you know this not-saying-much system alert "..has reached connection limit" and then no traffic goes from LAN to WAN. Clearly being a resource starvation issue by users you may never know for sure what causes this . The only way to pinpoint the misbehaving component is by elimination - disabling one by one until problem disappears. So for this particular Fortigate it was URL-filtering used to block access to Unfortunately once this disabled users in LAN would cause starvation of the bandwidth by accessing (or rather not leaving) this website. An internal fair use policy issue ? - yes of course, but the only way to implement the policy was by force in this case. So if not URL-filtering (being the obvious solution) then black-hole routing would be the better one I thought - but in this FG OS 3 i didnt find such option, and as upgrade to Fortios 4 wasnt an option I blackholed IP range (thanks to Facebook for the convenience of continuous IP range ) in the WAN facing Cisco router.
In the Fortigate FortiOS 4 and newer you can configure blackhole routing with no hassle:

FG100 # config router static
FG100 (static) # edit 5
FG100 (5) # set blackhole ?
disable    disable setting
enable     enable setting
FG100 (5) # set blackhole enable
FG100 (5) # set dst
FG100 (5) # end


FG100 # show router static  
config router static  
    edit 5
        set blackhole enable
        set dst

From station in LAN:
# ping

PING ( 56(84) bytes of data.  
From icmp_seq=1 Destination Net Unreachable  
From icmp_seq=2 Destination Net Unreachable  

Facebook IP range:

OrgName:    Facebook, Inc.
OrgID:      THEFA-3
Address:    156 University Ave, 3rd floor
City:       Palo Alto
StateProv:  CA
PostalCode: 94301
Country:    US
NetRange: -

Follow me on not to miss what I publish on Linkedin, Github, blog, and more.