UTM 9 Block specific IP

Question

Here's the situation first. I get emails about all port scan notifications and intrusion alerts from our UTM. For the past 24 hours, this one IP address is port scanning us like crazy and then going on "likely SQL injections." So I thought, OK, I'll create a DNAT blackhole rule. 
 Basically the rule is this: any traffic from malicious IP address going to our server (internal IP) gets remapped to a non-existing internal IP. 
 Then I put that rule prior to the NAT rules for that server. 
 Still I'm getting the email notifications. Maybe the reason is because the Intrusion Protection Service is going to catch these attacks/probes regardless? 
 Thanks for any feedback.

apijnappels · Answer

A DNAT rule doesn't go to the internal address of your server, but to the external (address) of your WAN connection. 
 Then the destination should be a blackhole.

sachingurung · Answer

Hi, 
 So does that mean, you do not want the email notifications that frequent? If that's your requirement then check the limit notification option found in management> notification > global tab. 
 Thanks

apijnappels · Answer

I use a blackhole DNAT like this: 
 
 Where "Block IPs" is a group in which I put all IP's I want to completely discard all traffic from and destination "Blackhole2" is a host with IP4 address of 240.0.0.0 and IP6 address of 0100:: 
 240.0.0.0 falls in 240.0.0.0/4 (reserved for future use) 0100:: falls in 0100::/64 (is RFC6666 discard prefix voor ipv6) 
 You may also need to create a firewall rule: 
 
 That way there should be no logging from blocked traffic.