Did you get to share any SK?
Or were they just "cold" and said "No way, bye bye"?
hahaha 😞

LOL @Matlu ...no bro, there is no sk lol

Anyway, they just said in the case its not possible. Customer very disappointed, to say the least, but if it cant be done, cant be done. Maybe in R82, I dont know...

Andy

I attached what they gave me, implied rule thing, we verified it would not have to do anything with this, maybe first person may have misunderstood...

Cheers,

Andy

You seem to have been "misunderstood".
LOL. It happens ... 🤣

HAHAHAHAHA...it wont be first or last time bro 🤣🤣🤣🤣🤣

Okay, I will give that option to the customer, something to consider. Not as easy as setting it up on Fortigate gui, but at least it may work.

Thanks Chris,

Andy

Treats traffic, as if it were "DoS", can negatively impact on GW?
Can it cause CPU and Memory saturation of GWs?

Thats exactly thought I have as well...I really wish there was a way to block this in the rule using updatable country object. I sure hope it becomes available in next release. We actually have more and more CP clients asking about it.

Andy

To maximize performance, the DoS/Rate Limiting policy is enforced as early as possible in the packet flow. For most features this means it is enforced in SecureXL.

Here is an important question, for me, at least...does that method from the link you gave ONLY blocks vpn access or any traffic?

Andy

The syntax is an example, you can see the "service" parameter.

I know you will test it in your lab anyway as you should before trying it in the real world. 🙂

I think I sort of understand the syntax better now...as long as destination is external gateway IP, and source cc is actual country code, thats what matters. Not sure if cc syntax can be used multiple times in same command, but will try tomorrow in the lab...what I mean is say source cc:CN cc:EE ...multiple country codes like that.

Andy

Please share with us the results of your tests, my friend. 🙌
And if you are successful, well, it could be nice to know what your procedure was. 🤙

See, the problem is, I dont have real external IP configured in my lab, so best I can do in the meantime is run the command and see if it takes it and let you know.

Andy

Okay, commands do work, which is awesome, BUT, only way to know 100% if its successful is to try it on real production fw with valid external IP address. By the way, multiple cc options dont work, see below. You simply use 2 letter country codes as per below link and what @PhoneBoy gave in his post.

Andy

Country Codes, Phone Codes, Dialing Codes, Telephone Codes, ISO Country Codes

[Expert@CP-TEST-FW:0]# fwaccel dos rate add -a b source cc:CA
uid="<65731a1c,00000000,e90a10ac,0000026b>"
[Expert@CP-TEST-FW:0]# fwaccel dos rate add -a d -l a service any source cc:CN cc:EE destination cidr:172.16.10.213/32 pkt-rate 0
ERROR: add quota: unknown key name 'cc:EE'
[Expert@CP-TEST-FW:0]# fwaccel dos rate add -a d -l a service any source cc:CN cc:FI destination cidr:172.16.10.213/32 pkt-rate 0
ERROR: add quota: unknown key name 'cc:FI'
[Expert@CP-TEST-FW:0]# fwaccel dos rate add -a d -l a service any source cc:CN destination cidr:172.16.10.213/32 pkt-rate 0
uid="<65731a7c,00000000,e90a10ac,00000414>"
[Expert@CP-TEST-FW:0]# fwaccel dos rate add -a d -l a service any source cc:FI destination cidr:172.16.10.213/32 pkt-rate 0
uid="<65731a84,00000000,e90a10ac,000004e5>"
[Expert@CP-TEST-FW:0]# fwaccel dos rate add -a d -l a service any source cc:EE destination cidr:172.16.10.213/32 pkt-rate 0
uid="<65731a8a,00000000,e90a10ac,00000504>"
[Expert@CP-TEST-FW:0]# ^C
[Expert@CP-TEST-FW:0]#

******************************************

[Expert@CP-TEST-FW:0]# fwaccel dos rate get
fwaccel dos rate add -i "<65731a1c,00000000,e90a10ac,0000026b>" -action bypass source cc:CA service any
fwaccel dos rate add -i "<65731a8a,00000000,e90a10ac,00000504>" -action drop -log alert service any source cc:EE destination cidr:172.16.10.213/32 pkt-rate 0
fwaccel dos rate add -i "<65731a7c,00000000,e90a10ac,00000414>" -action drop -log alert service any source cc:CN destination cidr:172.16.10.213/32 pkt-rate 0
fwaccel dos rate add -i "<65731a84,00000000,e90a10ac,000004e5>" -action drop -log alert service any source cc:FI destination cidr:172.16.10.213/32 pkt-rate 0
(4 rules found)
[Expert@CP-TEST-FW:0]#

Does your lab have a real external IP?
Does Mobile Access or IPsec VPN work in your LAB for remote connections?

If not, I can try, from my location, to reach your LAB, to see if it works, HAHA. 😅

Ok, escribiré esto en español jajaja. Como ya dije dos veces, no, no tengo una IP externa en mi laboratorio, por lo que la única forma de confirmarlo es hacerlo en undispositivo que sí la tenga. Los comandos funcionan

We will have to 'sacrifice' a customer, and give it a try. 

Let him be our 'trojan horse'. 🤣🫣 

lol...or guinea pig as they say 

Andy

I will see later of I can do some natting on our lab Fortigate firewall to get real external IP working, so this can be tested properly.

Andy