Blocking network access based on endpoints
You can use endpoint IP filtering to block traffic from source IP addresses associated with endpoints. You can also configure FortiOS Carrier to record log messages whenever endpoint IP filtering blocks traffic. Endpoint IP filtering blocks traffic at the IP level, before the traffic is accepted by a security policy.
To configure endpoint IP filtering, go to Security Profiles > Carrier > IP Filter and add endpoints to the IP filter list. For each endpoint you can enable or disable both blocking traffic and logging blocked traffic.
| You cannot add endpoint patterns to the endpoint IP filter list. You must enter complete and specific endpoints that are valid for your network. |
| The only action available is block. You cannot use endpoint IP filtering to exempt endpoints from IP filtering or to content archive or quarantine communication sessions. |
FortiOS Carrier looks in the current user context list for the endpoints in the IP filter list and extracts the source IP addresses for these endpoints. Then any communication session with a source IP address that matches one of these IP addresses is blocked at the IP level, before the communication session is accepted by a security policy.
FortiOS Carrier dynamically updates the list of IP addresses to block as the user context list changes. Only these updated IP addresses are blocked by endpoint IP filtering.
For information about the carrier endpoints and the user context list, including how entries are added to and removed from this list, see For more information on carrier endpoints, see the
FortiOS Handbook User Authentication chapter.