Monitoring currently blocked IPs
Monitor > Blocked IPs displays all client IP addresses whose requests the FortiWeb appliance is temporarily blocking because the client violated a rule whose Action is Period Block.
To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Log & Report category. For details, see Permissions.
If a client was blocked, you can see the reason for the block. For period block based on client management configurations, the reason is Threat Score Exceeded; for that caused by other features, the reason is N/A.
If a client was inadvertently blocked due to a false positive, you can immediately release it from being blocked by clicking the Delete icon next to its entry in the table. If it is being blocked by multiple policies, you should delete the client’s entry under each policy name. Otherwise, the client may still be blocked by some policies.
Alternatively, the IP address will automatically be removed from the list when its block period expires.
The Blocked IP list shows at most 15,000 IPs at the same time. If the blocked IPs exceed this number, the system will record it in the attack log, instead of showing them in the Blocked IP list.
If a client frequently is correctly added to the period block list, and is a suspected attacker, you may be able to improve both security and performance by permanently blacklisting that source IP address. For details, see Blacklisting & whitelisting clients using a source IP or source IP range and Sequence of scans.
If the client is not an attacker, in addition to removing his or her IP from this list, you may need to adjust the configuration that caused the period block, such as adjusting DoS protection so that it does not block normal request rates. Otherwise, the client may quickly reappear in the period block list.