Fortinet black logo

Administration Guide

IP Reputation - Blocklisting source IPs with poor reputation

IP Reputation - Blocklisting source IPs with poor reputation

It would be an impossible task to manually identify and block all known attackers in the world. To block:

  • botnets
  • spammers
  • phishers
  • malicious spiders/crawlers
  • virus-infected clients
  • clients using anonymizing proxies
  • DDoS participants

you can configure FortiWeb to use the FortiGuard IP Reputation. IP reputation leverages many techniques for accurate, early, and frequently updated identification of compromised and malicious clients so you can block attackers before they target your servers. Data about dangerous clients derives from many sources around the globe, including:

  • FortiGuard service statistics
  • honeypots
  • botnet forensic analysis
  • anonymizing proxies
  • 3rd party sources in the security community

From these sources, Fortinet compiles a reputation for each public IP address. Clients will have poor reputations if they have been participating in attacks, willingly or otherwise. Because blacklisting innocent clients is equally undesirable, Fortinet also restores the reputations of clients that improve their behavior. This is crucial when an infected computer is cleaned, or in DHCP or PPPoE pools where an innocent client receives an IP address that was previously leased by an attacker.

Because IP reputation data is based on evidence of hostility rather than a client’s current physical location on the globe, if your goal is to block attackers rather than restrict delivery, this feature may be preferable.

The IP Reputation feature can block or log clients based on X-header-derived client source IPs. For details, see Defining your proxies, clients, & X-headers.

IP reputation knowledge is regularly updated if you have subscribed and connected your FortiWeb to the FortiGuard IP Reputation service. Due to this, new options appear periodically. You can monitor the FortiGuard website feed (HTTP://fortiguard.com/rss/fg.xml) for security advisories which may correlate with new IP reputation-related options. For details, see Connecting to FortiGuard services.

Because geographical IP policies are evaluated before many other techniques, defining these IP addresses can be used to improve performance. For details, see Sequence of scans.
To configure an IP reputation policy
  1. If you need to exempt some clients’ public IP addresses due to possible false positives, configure IP reputation exemptions first. Go to IP Protection > IP Reputation and select the Exceptions tab to create a new exception.
  2. Go to IP Protection > IP Reputation and select the IP Reputation Policy tab.
    To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
  3. In the Status column, enable the following categories of disreputable clients that you want to block and/or log:
  4. Botnet

    Malware that may perform many malicious tasks, such as downloading and executing additional malware, receiving commands from a control server and relaying specific information and telemetry back to the control server, updating or deleting itself, stealing login and password information, logging keystrokes, participating in a Distributed Denial of Service (DDoS) attack, or locking and encrypting the contents of your computer and demanding payment for its safe return.

    Anonymous proxy

    A tool that attempts to make a user's activity untraceable. It acts as an intermediary between users and the Internet so that users can access the Internet anonymously. Users often be trying to bypass geography restrictions or otherwise hide activity that they don't want traced to them.

    Phishing

    A social engineering technique that is used to obtain sensitive and confidential information by masquerading as communications from a trusted entity such as a well known institution, company, or website. The malware is typically not in the communication itself, but in the links within the communication.

    Spam

    A messaging technique in which a large volume of unsolicited messages are sent to a large number of recipients. The content of spam may be harmless, but often contain malware, too.

    Tor A type of anonymous proxy that is available as software to facilitate anonymous web browsing on the Internet. Tor directs user web traffic through an overlay network to hide information about users. Users aim to keep communication on the Internet anonymous. Tor may allow users to circumvent security measures such as geography restrictions or otherwise hide activity that they don't want traced to them.
    Others This includes threats to which the FortiGuard IP Reputation service assigns a poor reputation, including virus-infected clients and malicious spiders/crawlers.

    APTs often mask their source IP using anonymizing proxies. While casual attackers will move on to easier potential targets if their initial attempts fail, APTs are motivated to persist until they achieve a successful breach. Early warning can be critical. Therefore even if some innocent anonymous clients use your web servers and you do not want to block them, you still may want to log proxied anonymous requests.

    Filtering your other attack logs by these anonymous IPs can help you to locate and focus on dangerous requests from these IPs, whether you want to use them to configure a defense, for law enforcement, or for forensic analysis.

  5. For the categories that you enabled, configure these settings:
  6. Action

    Select the action that FortiWeb takes when it detects the category:

    • Alert—Accept the request and generate an alert email and/or log message.

    • Alert & Deny—Block the request (or reset the connection) and generate an alert email and/or log message.

      You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages).

    • Deny (no log)—Block the request (or reset the connection).

    • Period Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period.

      You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages).

      Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. For details, see Defining your proxies, clients, & X-headers. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type.

    • Redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. Also configure Redirect URL and Redirect URL With Reason.
    • Send 403 Forbidden—Reply with an HTTP 403 Access Forbidden error message and generate an alert and/or log message.

    Redirect and Send 403 Forbidden works at HTTP level, so it requires the X-Forwarded-For configured in web protection profile. In the meanwhile, the Ignore X-Forwarded-For option on this page should be turned off. The X-Forwarded-For module examines IP addresses at HTTP level.

    Disabling X-Forwarded-For in either place will cause the system to skip scanning the IP addresses at HTTP level. As a result, only the violations at TCP level will be blocked, while the violations at HTTP level will let go. Because the Redirect and Send 403 Forbidden works at HTTP level, they will not be triggered in this situation.

    Block Period

    Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects the category.

    This setting is available only if the Action is set to Period Block. The valid range is from 1 to 3,600 seconds (1 hour). For details, see Monitoring currently blocked IPs.

    Severity

    When categories are recorded in the attack log, each log message contains a Severity Level (severity_level) field. In each row, select which severity level the FortiWeb appliance will use when it logs a violation of the rule:

    • Informative
    • Low
    • Medium
    • High

    The default value is High.

    Trigger Action

    Select which trigger, if any, that FortiWeb will carry out when it logs and/or sends an alert email about the detection of a category. For details, see Viewing log messages.

    Ignore X-Forwarded-For

    By default, FortiWeb scans the IP addresses in the X-Forwarded-For header at the HTTP layer. This causes high resource consumption. To enhance the performance, you can enable Ignore X-Forwarded-For so that the IP addresses can be scanned at the TCP layer instead. This avoids HTTP packets being processed unnecessarily.

  7. Click Apply.
  8. To apply your IP reputation policy, enable IP Reputation in a protection profile that is used by a policy. For details, see Configuring a protection profile for inline topologies or Configuring a protection profile for an out-of-band topology or asynchronous mode of operation.

    Attack log messages contain Anonymous Proxy : IP Reputation Violation or Botnet : IP Reputation Violation when this feature detects a possible attack.

See also

IP Reputation - Blocklisting source IPs with poor reputation

It would be an impossible task to manually identify and block all known attackers in the world. To block:

  • botnets
  • spammers
  • phishers
  • malicious spiders/crawlers
  • virus-infected clients
  • clients using anonymizing proxies
  • DDoS participants

you can configure FortiWeb to use the FortiGuard IP Reputation. IP reputation leverages many techniques for accurate, early, and frequently updated identification of compromised and malicious clients so you can block attackers before they target your servers. Data about dangerous clients derives from many sources around the globe, including:

  • FortiGuard service statistics
  • honeypots
  • botnet forensic analysis
  • anonymizing proxies
  • 3rd party sources in the security community

From these sources, Fortinet compiles a reputation for each public IP address. Clients will have poor reputations if they have been participating in attacks, willingly or otherwise. Because blacklisting innocent clients is equally undesirable, Fortinet also restores the reputations of clients that improve their behavior. This is crucial when an infected computer is cleaned, or in DHCP or PPPoE pools where an innocent client receives an IP address that was previously leased by an attacker.

Because IP reputation data is based on evidence of hostility rather than a client’s current physical location on the globe, if your goal is to block attackers rather than restrict delivery, this feature may be preferable.

The IP Reputation feature can block or log clients based on X-header-derived client source IPs. For details, see Defining your proxies, clients, & X-headers.

IP reputation knowledge is regularly updated if you have subscribed and connected your FortiWeb to the FortiGuard IP Reputation service. Due to this, new options appear periodically. You can monitor the FortiGuard website feed (HTTP://fortiguard.com/rss/fg.xml) for security advisories which may correlate with new IP reputation-related options. For details, see Connecting to FortiGuard services.

Because geographical IP policies are evaluated before many other techniques, defining these IP addresses can be used to improve performance. For details, see Sequence of scans.
To configure an IP reputation policy
  1. If you need to exempt some clients’ public IP addresses due to possible false positives, configure IP reputation exemptions first. Go to IP Protection > IP Reputation and select the Exceptions tab to create a new exception.
  2. Go to IP Protection > IP Reputation and select the IP Reputation Policy tab.
    To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
  3. In the Status column, enable the following categories of disreputable clients that you want to block and/or log:
  4. Botnet

    Malware that may perform many malicious tasks, such as downloading and executing additional malware, receiving commands from a control server and relaying specific information and telemetry back to the control server, updating or deleting itself, stealing login and password information, logging keystrokes, participating in a Distributed Denial of Service (DDoS) attack, or locking and encrypting the contents of your computer and demanding payment for its safe return.

    Anonymous proxy

    A tool that attempts to make a user's activity untraceable. It acts as an intermediary between users and the Internet so that users can access the Internet anonymously. Users often be trying to bypass geography restrictions or otherwise hide activity that they don't want traced to them.

    Phishing

    A social engineering technique that is used to obtain sensitive and confidential information by masquerading as communications from a trusted entity such as a well known institution, company, or website. The malware is typically not in the communication itself, but in the links within the communication.

    Spam

    A messaging technique in which a large volume of unsolicited messages are sent to a large number of recipients. The content of spam may be harmless, but often contain malware, too.

    Tor A type of anonymous proxy that is available as software to facilitate anonymous web browsing on the Internet. Tor directs user web traffic through an overlay network to hide information about users. Users aim to keep communication on the Internet anonymous. Tor may allow users to circumvent security measures such as geography restrictions or otherwise hide activity that they don't want traced to them.
    Others This includes threats to which the FortiGuard IP Reputation service assigns a poor reputation, including virus-infected clients and malicious spiders/crawlers.

    APTs often mask their source IP using anonymizing proxies. While casual attackers will move on to easier potential targets if their initial attempts fail, APTs are motivated to persist until they achieve a successful breach. Early warning can be critical. Therefore even if some innocent anonymous clients use your web servers and you do not want to block them, you still may want to log proxied anonymous requests.

    Filtering your other attack logs by these anonymous IPs can help you to locate and focus on dangerous requests from these IPs, whether you want to use them to configure a defense, for law enforcement, or for forensic analysis.

  5. For the categories that you enabled, configure these settings:
  6. Action

    Select the action that FortiWeb takes when it detects the category:

    • Alert—Accept the request and generate an alert email and/or log message.

    • Alert & Deny—Block the request (or reset the connection) and generate an alert email and/or log message.

      You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages).

    • Deny (no log)—Block the request (or reset the connection).

    • Period Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period.

      You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages).

      Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. For details, see Defining your proxies, clients, & X-headers. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type.

    • Redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. Also configure Redirect URL and Redirect URL With Reason.
    • Send 403 Forbidden—Reply with an HTTP 403 Access Forbidden error message and generate an alert and/or log message.

    Redirect and Send 403 Forbidden works at HTTP level, so it requires the X-Forwarded-For configured in web protection profile. In the meanwhile, the Ignore X-Forwarded-For option on this page should be turned off. The X-Forwarded-For module examines IP addresses at HTTP level.

    Disabling X-Forwarded-For in either place will cause the system to skip scanning the IP addresses at HTTP level. As a result, only the violations at TCP level will be blocked, while the violations at HTTP level will let go. Because the Redirect and Send 403 Forbidden works at HTTP level, they will not be triggered in this situation.

    Block Period

    Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects the category.

    This setting is available only if the Action is set to Period Block. The valid range is from 1 to 3,600 seconds (1 hour). For details, see Monitoring currently blocked IPs.

    Severity

    When categories are recorded in the attack log, each log message contains a Severity Level (severity_level) field. In each row, select which severity level the FortiWeb appliance will use when it logs a violation of the rule:

    • Informative
    • Low
    • Medium
    • High

    The default value is High.

    Trigger Action

    Select which trigger, if any, that FortiWeb will carry out when it logs and/or sends an alert email about the detection of a category. For details, see Viewing log messages.

    Ignore X-Forwarded-For

    By default, FortiWeb scans the IP addresses in the X-Forwarded-For header at the HTTP layer. This causes high resource consumption. To enhance the performance, you can enable Ignore X-Forwarded-For so that the IP addresses can be scanned at the TCP layer instead. This avoids HTTP packets being processed unnecessarily.

  7. Click Apply.
  8. To apply your IP reputation policy, enable IP Reputation in a protection profile that is used by a policy. For details, see Configuring a protection profile for inline topologies or Configuring a protection profile for an out-of-band topology or asynchronous mode of operation.

    Attack log messages contain Anonymous Proxy : IP Reputation Violation or Botnet : IP Reputation Violation when this feature detects a possible attack.

See also