Fortinet black logo

Administration Guide

Blocking client devices with poor reputation

Blocking client devices with poor reputation

While using IP-based access controls (blacklisting) to block network traffic from malicious client devices is core to a WAF solution, issues with using only IP-based access controls remain. Because IP-based access controls rely on identifying attackers by comparing their IP addresses with blacklist databases, network security concerns and vulnerabilities remain when attackers can:

  • Change their IP address by using anonymous proxies
  • Hide behind shared public IP addresses through NAT, DHCP or PPPoE technologies

Compared to changing IP address or hiding behind shared IP addresses, it is difficult and impractical to change the computer attackers use to probe defenses and launch attacks. Rather than relying only on IP-based access controls, FortiWeb's device tracking feature identifies suspected attackers based on the computers they are using. To identify a visiting device, FortiWeb generates a unique device ID according to a set of its characteristics, including the time zone, source IP, operating system, browser, language, CPU, color depth, and screen size.

When device tracking is enabled and a device reputation security policy is selected, FortiWeb evaluates the reputation of client devices that trigger security violations. If a device triggers a security violation in a device reputation security policy, it will acquire a lower device reputation. Access to networks and servers can be managed according to a device's reputation.

See also

How device reputation works

The device reputation mechanism takes into account the following factors:

Threat weight of security violations

Each protection feature involved in the device reputation mechanism must be scored with a threat weight to indicate how serious a security violation is; this generally depends on the security concerns according to how networks and servers will be used. For example, SQL injection might be a higher risk security violation if database applications are provided on servers, though it may be a lower risk event if no database applications are provided. When a security violation is detected, the threat weight of the security violation is used to calculate the reputation of the device that launched the event.

Reputation of a device

FortiWeb reacts to security violations launched by a device according to reputation of the device. A device initially joins the network with a good reputation. A good reputation indicates a low-risk device; a bad reputation indicates a high-risk device. In a device profile, the historical threat weight field is the sum of the threat weights of all the security violations launched by the device. As a device triggers security violations, the device reputation is negatively affected; each time a device violates a device reputation security policy, a corresponding threat weight is added to the total value in the device profile. The higher the accumulated threat weight of the device, the poorer reputation of the device.

Risk level of a device

A device can be classified as low-risk, medium-risk, and high-risk according to its device reputation. To identify the risk level of a device, the scale of the risk levels must be defined. For example, devices that have a historical threat weight between 0-100 may be considered low-risk, between 101-500 medium-risk, and between 501-1000 high-risk.

Violation action based on risk level

When device tracking is enabled and a device reputation security policy is selected, FortiWeb can react to a security violation according to a device's reputation rather than just the individual security policy. Once the scale of device risk levels is determined, a violation action of each risk level may be defined so that FortiWeb can properly react to the risk level of a device when it detects a security violation launched from the device.

When device tracking is enabled and a device reputation security policy is selected, FortiWeb behaves as follows:

  1. Identify the device through the fingerprint technique and check whether a profile of the device already exists when a security violation launched by a visiting device is detected. If a device profile does not already exist, a profile of the device with a unique device ID is created.
  2. Add the threat weight of the security violation launched by this device to the historical threat weight in the device's profile.
  3. Evaluate the reputation of the device (risk level of the device) by comparing the historical threat weight of the device with the predefined device risk level.
  4. Trigger the violation action corresponding with the risk level.

Configuring device tracking & device reputation security policies

Five major steps are required to configure device tracking device reputation security policies:

You can also modify device tracking settings globally. For details, see To modify device tracking settings.

To enable device tracking feature visibility
tooltip icon

By default, device tracking feature visibility is enabled.

  1. Go to System > Config > Feature Visibility.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see Permissions.
  2. Enable Device Tracking.
  3. Click Apply.
To define the threat weight of each security violation
  1. Go to Policy > Threat Weight.
  2. Configure Risk Level Values.
    There are four different risk levels used to indicate how serious a security violation is: Low, Medium, High, and Critical. The specified values of the risk levels are the weights used to calculate the reputation of a device when it violates the security policy.
  3. Assign a threat weight of 1-100 to the risk levels. It is possible to initially use the default values and later adjust them according to specific security concerns.

  4. Define risk level of security violations.
  5. Here are the security violations that FortiWeb can detect:

Adjust the slider bar to assign a risk level to each security violation.

For Signatures and HTTP Protocol Constraints, first enable them here and go to Web Protection > Known Attacks > Signatures and Web Protection > Protocol > HTTP Protocol Constraints to set the risk level of individual signatures and HTTP protocol constraints. For details, see Blocking known attacks & data leaks and HTTP/HTTPS protocol constraints.

Moving the cursor of a slider bar to the leftmost side sets the threat weight of a security violation to OFF, meaning that a threat weight will not be calculated for the security violation in the device reputation security policy. Once a security violation without a defined threat weight is detected, FortiWeb will not react to the security violation according to the device reputation security policy, and instead the violation action specified in the local security policy will be triggered.

  • Click Apply to save the configuration.
  • To define device risk levels and corresponding violation actions
    tooltip icon

    If Device Tracking isn't enabled in Feature Visibility, you must enable it before you can create a device reputation security policy. To enable Device Tracking, go to System > Config > Feature Visibility and enable Device Tracking.

    1. Go to Tracking > Device Reputation and select the Device Reputation Security Policy tab.
    2. Click Create New.
    3. Configure these settings:
    4. Name

      Policy name

      Weight Range for Low/Medium/High Risk Level

      Risk levels are used to evaluate how dangerous a device is. Each time a device violates a device reputation security policy, the historical threat weight of the device increases according to the threat weight of the security violation. FortiWeb compares the historical threat weight of the device with the weight range specified here to identify the risk level of the device so that FortiWeb can trigger a corresponding violation action.

      Adjust the slider bar to specify weight ranges between 0-1000 for the risk levels.

      Action for High/Medium/Low/Unidentified Risk Level Device

      Specify the violation action FortiWeb carries out in response to security violations launched by a high/medium/low/unidentified risk device.

      The options are:

      • Alert—Accept the request and generate an alert email and/or log message.

      • Alert & Deny—Block the request (or reset the connection) and generate an alert email and/or log message.

      You can customize the web page that returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages).

      • Deny (no log)—Block the request (or reset the connection).

      • Period Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period.

      You can customize the web page that returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages).

      • Using Local Action—Takes the local action specified in a protection profile.

      Device Reputation Exceptions Select an exceptions policy. For details, see To create device reputation exceptions.
    5. Click OK to save the configuration.
    To enable device tracking and select a device reputation security policy in a protection profile
    1. Go to Policy > Web Protection Profile, select the Inline Protection Profile tab, and select an existing profile or create a new one.
    2. Enable Device Tracking and select a policy in Device Reputation Security Policy. For details, see Device Tracking.

    When Device Tracking is enabled, FortiWeb responds to the detected security violations according to actions defined in the selected device reputation security policy rather than the individual security policy and rule in the protection profile. Even so, the security policies are still necessary in a protection profile to identify security violations.

    FortiWeb bypasses a device reputation security policy and reacts to security violations according to individual policies and rules when:

    • Device Tracking is disabled
    • The threat weight of security violations is disabled (set to OFF)
    • Device reputation exceptions have been selected
    To create device reputation exceptions
    tooltip icon

    If Device Tracking isn't enabled in Feature Visibility, you must enable it before you can create device reputation exceptions. To enable Device Tracking, go to System > Config > Feature Visibility and enable Device Tracking.

    1. Go to Tracking > Device Reputation, select the Device Reputation Exceptions tab, and select an existing policy or create a new one.
    2. Security features placed in Selected Security Feature Name will bypass device reputation security policies. From Security Feature Name, select the security feature and click the right arrow button to move it to Selected Security Feature Name.
      To cancel the exception to a security feature, select the feature in Selected Security Feature Name and click the left arrow to remove it back to Security Feature Name.
    3. Click OK to save the configuration.
    To modify device tracking settings
    tooltip icon

    If Device Tracking isn't enabled in Feature Visibility, you must enable it before you can modify device tracking settings. To enable Device Tracking, go to System > Config > Feature Visibility and enable Device Tracking.

    Once you enable device tracking, you can modify its settings according to your environment's needs, including:

    • How long a device's reputation is tracked
    • How long FortiWeb keeps device reputation data
    • How long a device will be blocked
    • How often a device fingerprint is updated
    1. Go to System > Config > Device Tracking.
    2. Configure these settings:
    3. Historical Threat Weight Cleanup Period

      Select the amount of time that FortiWeb will store threat weight information for a device. Once threat weight information has been stored for longer than the selected amount of time, FortiWeb will remove that information.

      Delete Inactive Records After

      Enter the amount of time (in days) that FortiWeb will store data for an inactive device before FortiWeb removes data for that device. The default value is 0. The valid range is 0–30.

      Block Duration

      Enter the amount of time (in hours) that FortiWeb will block a device within a single Historical Threat Weight Cleanup Period.

      Update Device Fingerprint After

      Enter the interval (in minutes) in which FortiWeb will update the device fingerprint of a currently tracked device. The default value is 60. The valid range is 60–1440.

      Database Query Timeout

      Enter the maximum amount of time (in seconds) that FortiWeb will wait for a response when it queries the database for threat weight information for a device. The default value is 3. The valid range is 1–30.

    4. Click Apply.

    Example configuration and resulting behavior of a device reputation security policy

    In Threat Weight, these settings are configured:

    Risk Level Value
    Low 5
    Medium 10
    High 30
    Critical 100
    Threat weights of security violations
    Signatures Disabled
    DoS Protection OFF
    Brute Force Login Critical (100)

    In the device reputation security policy, these settings are configured:

    Weight Range of Device Risk Levels
    Low 0-30
    Medium 31-100
    High 101-1000
    Action for Device Risk Levels
    Low Alert
    Medium Period Block
    High Alert & Deny

    FortiWeb takes the following actions after identifying these security violations from a device:

    Security Violations Behaviors Device Threat Weight Device Risk Violation Action
    Brute Force Login Add the threat weight of Brute Force Login (100) to the device. 140 High Alert & Deny
    DoS Protection Threat weight of DoS Protection is off in Device Reputation, FortiWeb reacts to the violation according to the DoS protection policy specified in the protection profile. 150 High According to the DoS protection policy
    Signatures Signatures feature is disabled in Device Reputation, FortiWeb reacts to the violation according to the signatures policy specified in the protection profile. 155 High According to the signatures policy

    Blocking client devices with poor reputation

    While using IP-based access controls (blacklisting) to block network traffic from malicious client devices is core to a WAF solution, issues with using only IP-based access controls remain. Because IP-based access controls rely on identifying attackers by comparing their IP addresses with blacklist databases, network security concerns and vulnerabilities remain when attackers can:

    • Change their IP address by using anonymous proxies
    • Hide behind shared public IP addresses through NAT, DHCP or PPPoE technologies

    Compared to changing IP address or hiding behind shared IP addresses, it is difficult and impractical to change the computer attackers use to probe defenses and launch attacks. Rather than relying only on IP-based access controls, FortiWeb's device tracking feature identifies suspected attackers based on the computers they are using. To identify a visiting device, FortiWeb generates a unique device ID according to a set of its characteristics, including the time zone, source IP, operating system, browser, language, CPU, color depth, and screen size.

    When device tracking is enabled and a device reputation security policy is selected, FortiWeb evaluates the reputation of client devices that trigger security violations. If a device triggers a security violation in a device reputation security policy, it will acquire a lower device reputation. Access to networks and servers can be managed according to a device's reputation.

    See also

    How device reputation works

    The device reputation mechanism takes into account the following factors:

    Threat weight of security violations

    Each protection feature involved in the device reputation mechanism must be scored with a threat weight to indicate how serious a security violation is; this generally depends on the security concerns according to how networks and servers will be used. For example, SQL injection might be a higher risk security violation if database applications are provided on servers, though it may be a lower risk event if no database applications are provided. When a security violation is detected, the threat weight of the security violation is used to calculate the reputation of the device that launched the event.

    Reputation of a device

    FortiWeb reacts to security violations launched by a device according to reputation of the device. A device initially joins the network with a good reputation. A good reputation indicates a low-risk device; a bad reputation indicates a high-risk device. In a device profile, the historical threat weight field is the sum of the threat weights of all the security violations launched by the device. As a device triggers security violations, the device reputation is negatively affected; each time a device violates a device reputation security policy, a corresponding threat weight is added to the total value in the device profile. The higher the accumulated threat weight of the device, the poorer reputation of the device.

    Risk level of a device

    A device can be classified as low-risk, medium-risk, and high-risk according to its device reputation. To identify the risk level of a device, the scale of the risk levels must be defined. For example, devices that have a historical threat weight between 0-100 may be considered low-risk, between 101-500 medium-risk, and between 501-1000 high-risk.

    Violation action based on risk level

    When device tracking is enabled and a device reputation security policy is selected, FortiWeb can react to a security violation according to a device's reputation rather than just the individual security policy. Once the scale of device risk levels is determined, a violation action of each risk level may be defined so that FortiWeb can properly react to the risk level of a device when it detects a security violation launched from the device.

    When device tracking is enabled and a device reputation security policy is selected, FortiWeb behaves as follows:

    1. Identify the device through the fingerprint technique and check whether a profile of the device already exists when a security violation launched by a visiting device is detected. If a device profile does not already exist, a profile of the device with a unique device ID is created.
    2. Add the threat weight of the security violation launched by this device to the historical threat weight in the device's profile.
    3. Evaluate the reputation of the device (risk level of the device) by comparing the historical threat weight of the device with the predefined device risk level.
    4. Trigger the violation action corresponding with the risk level.

    Configuring device tracking & device reputation security policies

    Five major steps are required to configure device tracking device reputation security policies:

    You can also modify device tracking settings globally. For details, see To modify device tracking settings.

    To enable device tracking feature visibility
    tooltip icon

    By default, device tracking feature visibility is enabled.

    1. Go to System > Config > Feature Visibility.
      To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see Permissions.
    2. Enable Device Tracking.
    3. Click Apply.
    To define the threat weight of each security violation
    1. Go to Policy > Threat Weight.
    2. Configure Risk Level Values.
      There are four different risk levels used to indicate how serious a security violation is: Low, Medium, High, and Critical. The specified values of the risk levels are the weights used to calculate the reputation of a device when it violates the security policy.
    3. Assign a threat weight of 1-100 to the risk levels. It is possible to initially use the default values and later adjust them according to specific security concerns.

    4. Define risk level of security violations.
    5. Here are the security violations that FortiWeb can detect:

    Adjust the slider bar to assign a risk level to each security violation.

    For Signatures and HTTP Protocol Constraints, first enable them here and go to Web Protection > Known Attacks > Signatures and Web Protection > Protocol > HTTP Protocol Constraints to set the risk level of individual signatures and HTTP protocol constraints. For details, see Blocking known attacks & data leaks and HTTP/HTTPS protocol constraints.

    Moving the cursor of a slider bar to the leftmost side sets the threat weight of a security violation to OFF, meaning that a threat weight will not be calculated for the security violation in the device reputation security policy. Once a security violation without a defined threat weight is detected, FortiWeb will not react to the security violation according to the device reputation security policy, and instead the violation action specified in the local security policy will be triggered.

  • Click Apply to save the configuration.
  • To define device risk levels and corresponding violation actions
    tooltip icon

    If Device Tracking isn't enabled in Feature Visibility, you must enable it before you can create a device reputation security policy. To enable Device Tracking, go to System > Config > Feature Visibility and enable Device Tracking.

    1. Go to Tracking > Device Reputation and select the Device Reputation Security Policy tab.
    2. Click Create New.
    3. Configure these settings:
    4. Name

      Policy name

      Weight Range for Low/Medium/High Risk Level

      Risk levels are used to evaluate how dangerous a device is. Each time a device violates a device reputation security policy, the historical threat weight of the device increases according to the threat weight of the security violation. FortiWeb compares the historical threat weight of the device with the weight range specified here to identify the risk level of the device so that FortiWeb can trigger a corresponding violation action.

      Adjust the slider bar to specify weight ranges between 0-1000 for the risk levels.

      Action for High/Medium/Low/Unidentified Risk Level Device

      Specify the violation action FortiWeb carries out in response to security violations launched by a high/medium/low/unidentified risk device.

      The options are:

      • Alert—Accept the request and generate an alert email and/or log message.

      • Alert & Deny—Block the request (or reset the connection) and generate an alert email and/or log message.

      You can customize the web page that returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages).

      • Deny (no log)—Block the request (or reset the connection).

      • Period Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period.

      You can customize the web page that returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages).

      • Using Local Action—Takes the local action specified in a protection profile.

      Device Reputation Exceptions Select an exceptions policy. For details, see To create device reputation exceptions.
    5. Click OK to save the configuration.
    To enable device tracking and select a device reputation security policy in a protection profile
    1. Go to Policy > Web Protection Profile, select the Inline Protection Profile tab, and select an existing profile or create a new one.
    2. Enable Device Tracking and select a policy in Device Reputation Security Policy. For details, see Device Tracking.

    When Device Tracking is enabled, FortiWeb responds to the detected security violations according to actions defined in the selected device reputation security policy rather than the individual security policy and rule in the protection profile. Even so, the security policies are still necessary in a protection profile to identify security violations.

    FortiWeb bypasses a device reputation security policy and reacts to security violations according to individual policies and rules when:

    • Device Tracking is disabled
    • The threat weight of security violations is disabled (set to OFF)
    • Device reputation exceptions have been selected
    To create device reputation exceptions
    tooltip icon

    If Device Tracking isn't enabled in Feature Visibility, you must enable it before you can create device reputation exceptions. To enable Device Tracking, go to System > Config > Feature Visibility and enable Device Tracking.

    1. Go to Tracking > Device Reputation, select the Device Reputation Exceptions tab, and select an existing policy or create a new one.
    2. Security features placed in Selected Security Feature Name will bypass device reputation security policies. From Security Feature Name, select the security feature and click the right arrow button to move it to Selected Security Feature Name.
      To cancel the exception to a security feature, select the feature in Selected Security Feature Name and click the left arrow to remove it back to Security Feature Name.
    3. Click OK to save the configuration.
    To modify device tracking settings
    tooltip icon

    If Device Tracking isn't enabled in Feature Visibility, you must enable it before you can modify device tracking settings. To enable Device Tracking, go to System > Config > Feature Visibility and enable Device Tracking.

    Once you enable device tracking, you can modify its settings according to your environment's needs, including:

    • How long a device's reputation is tracked
    • How long FortiWeb keeps device reputation data
    • How long a device will be blocked
    • How often a device fingerprint is updated
    1. Go to System > Config > Device Tracking.
    2. Configure these settings:
    3. Historical Threat Weight Cleanup Period

      Select the amount of time that FortiWeb will store threat weight information for a device. Once threat weight information has been stored for longer than the selected amount of time, FortiWeb will remove that information.

      Delete Inactive Records After

      Enter the amount of time (in days) that FortiWeb will store data for an inactive device before FortiWeb removes data for that device. The default value is 0. The valid range is 0–30.

      Block Duration

      Enter the amount of time (in hours) that FortiWeb will block a device within a single Historical Threat Weight Cleanup Period.

      Update Device Fingerprint After

      Enter the interval (in minutes) in which FortiWeb will update the device fingerprint of a currently tracked device. The default value is 60. The valid range is 60–1440.

      Database Query Timeout

      Enter the maximum amount of time (in seconds) that FortiWeb will wait for a response when it queries the database for threat weight information for a device. The default value is 3. The valid range is 1–30.

    4. Click Apply.

    Example configuration and resulting behavior of a device reputation security policy

    In Threat Weight, these settings are configured:

    Risk Level Value
    Low 5
    Medium 10
    High 30
    Critical 100
    Threat weights of security violations
    Signatures Disabled
    DoS Protection OFF
    Brute Force Login Critical (100)

    In the device reputation security policy, these settings are configured:

    Weight Range of Device Risk Levels
    Low 0-30
    Medium 31-100
    High 101-1000
    Action for Device Risk Levels
    Low Alert
    Medium Period Block
    High Alert & Deny

    FortiWeb takes the following actions after identifying these security violations from a device:

    Security Violations Behaviors Device Threat Weight Device Risk Violation Action
    Brute Force Login Add the threat weight of Brute Force Login (100) to the device. 140 High Alert & Deny
    DoS Protection Threat weight of DoS Protection is off in Device Reputation, FortiWeb reacts to the violation according to the DoS protection policy specified in the protection profile. 150 High According to the DoS protection policy
    Signatures Signatures feature is disabled in Device Reputation, FortiWeb reacts to the violation according to the signatures policy specified in the protection profile. 155 High According to the signatures policy