Fortinet black logo

Administration Guide

Monitoring currently blocked IPs

Monitoring currently blocked IPs

The Blocked IPs page displays all client IP addresses whose requests the FortiWeb appliance is temporarily blocking because the client violated a rule whose Action is Period Block.

To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Log & Report category. For details, see Permissions.

To view the Blocked IPs:

  1. Click the Add icon as shown below.
  2. On the Add Monitor page, click the Add icon of Blocked IPs.
  3. On the Add Monitor - Blocked IPs page, enter a name or use the default name Blocked IPs.
  4. Click Add Monitor. You will see the Blocked IPs shown in the navigation bar.

On the Block IPs page, you can see the reason why the IPs are blocked. For period block based on client management configurations, the reason is Threat Score Exceeded; for that caused by other features, the reason is N/A.

If a client was inadvertently blocked due to a false positive, you can immediately release it from being blocked by clicking the Delete icon next to its entry in the table. If it is being blocked by multiple policies, you should delete the client’s entry under each policy name. Otherwise, the client may still be blocked by some policies.

Alternatively, the IP address will automatically be removed from the list when its block period expires.

The Blocked IP list shows at most 15,000 IPs at the same time. If the blocked IPs exceed this number, the system will record it in the attack log, instead of showing them in the Blocked IP list.

If a client frequently is correctly added to the period block list, and is a suspected attacker, you may be able to improve both security and performance by permanently blocklisting that source IP address. For details, see "blocklisting & allowlisting clients using a source IP or source IP range" on page 1 and Sequence of scans.

If the client is not an attacker, in addition to removing his or her IP from this list, you may need to adjust the configuration that caused the period block, such as adjusting DoS protection so that it does not block normal request rates. Otherwise, the client may quickly reappear in the period block list.

See also

Monitoring currently blocked IPs

The Blocked IPs page displays all client IP addresses whose requests the FortiWeb appliance is temporarily blocking because the client violated a rule whose Action is Period Block.

To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Log & Report category. For details, see Permissions.

To view the Blocked IPs:

  1. Click the Add icon as shown below.
  2. On the Add Monitor page, click the Add icon of Blocked IPs.
  3. On the Add Monitor - Blocked IPs page, enter a name or use the default name Blocked IPs.
  4. Click Add Monitor. You will see the Blocked IPs shown in the navigation bar.

On the Block IPs page, you can see the reason why the IPs are blocked. For period block based on client management configurations, the reason is Threat Score Exceeded; for that caused by other features, the reason is N/A.

If a client was inadvertently blocked due to a false positive, you can immediately release it from being blocked by clicking the Delete icon next to its entry in the table. If it is being blocked by multiple policies, you should delete the client’s entry under each policy name. Otherwise, the client may still be blocked by some policies.

Alternatively, the IP address will automatically be removed from the list when its block period expires.

The Blocked IP list shows at most 15,000 IPs at the same time. If the blocked IPs exceed this number, the system will record it in the attack log, instead of showing them in the Blocked IP list.

If a client frequently is correctly added to the period block list, and is a suspected attacker, you may be able to improve both security and performance by permanently blocklisting that source IP address. For details, see "blocklisting & allowlisting clients using a source IP or source IP range" on page 1 and Sequence of scans.

If the client is not an attacker, in addition to removing his or her IP from this list, you may need to adjust the configuration that caused the period block, such as adjusting DoS protection so that it does not block normal request rates. Otherwise, the client may quickly reappear in the period block list.

See also