Fortinet black logo

New Features

Add persistency for banned IP list 7.2.1

Copy Link
Copy Doc ID 77966226-6996-11ec-bdf2-fa163e15d75b:254736
Download PDF

Add persistency for banned IP list 7.2.1

The banned-ip-persistency option configures whether the banned IP list persists through a power cycle.

config firewall global
    set banned-ip-persistency {disabled | permanent-only | all}
end

banned-ip-persistency {disabled | permanent-only | all}

Set the persistency of banned IPs across power cycling:

  • disabled: no entries are kept across power cycling (default).
  • permanent-only: only permanent IP bans are kept across power cycling.
  • all: all IP bans are kept across power cycling.

The banned IP list is created from quarantining. For example, when quarantining is enabled for IPS, application control, and DDoS. Permanent quarantining can be added manually using diagnose user banned-ip add src4.

The diagnose user quarantine <parameter> command has changed to diagnose user banned-ip <parameter>.

Example 1: keep all banned IPs across power cycling

When banned-ip-persistency is set to all, all the banned IPs are saved after a reboot. In this example, an application control security profile with quarantining is already configured. After traffic is generated that triggers the quarantine rule, a quarantine list is generated.

To view the list of banned IPs:
# diagnose user banned-ip list
src-ip-addr       created                  expires                  cause
10.1.100.12       Tue Jul  5 18:01:05 2022 Tue Jul  5 18:21:05 2022 APP

After a reboot, the banned IP list is the same:

# diagnose user banned-ip list
src-ip-addr       created                  expires                  cause
10.1.100.12       Tue Jul  5 18:01:05 2022 Tue Jul  5 18:21:05 2022 APP

Example 2: keep only permanent banned IPs across power cycling

When banned-ip-persistency is set to permanent-only, only banned IPs with an indefinite expiry time are saved after a reboot. The permanent IP ban was already configured for 10.1.100.11 using diagnose user banned-ip add src4 10.1.100.11 0 ips.

To view the list of banned IPs:
# diagnose user banned-ip list
src-ip-addr       created                  expires                  cause
10.1.100.12       Tue Jul  5 18:01:05 2022 Tue Jul  5 18:21:05 2022 APP
10.1.100.11       Tue Jul  5 18:06:35 2022 indefinite               IPS

After a reboot, only 10.1.100.11 remains in the banned IP list:

# diagnose user banned-ip list
src-ip-addr       created                  expires                  cause
10.1.100.11       Tue Jul  5 18:06:35 2022 indefinite               IPS

Add persistency for banned IP list 7.2.1

The banned-ip-persistency option configures whether the banned IP list persists through a power cycle.

config firewall global
    set banned-ip-persistency {disabled | permanent-only | all}
end

banned-ip-persistency {disabled | permanent-only | all}

Set the persistency of banned IPs across power cycling:

  • disabled: no entries are kept across power cycling (default).
  • permanent-only: only permanent IP bans are kept across power cycling.
  • all: all IP bans are kept across power cycling.

The banned IP list is created from quarantining. For example, when quarantining is enabled for IPS, application control, and DDoS. Permanent quarantining can be added manually using diagnose user banned-ip add src4.

The diagnose user quarantine <parameter> command has changed to diagnose user banned-ip <parameter>.

Example 1: keep all banned IPs across power cycling

When banned-ip-persistency is set to all, all the banned IPs are saved after a reboot. In this example, an application control security profile with quarantining is already configured. After traffic is generated that triggers the quarantine rule, a quarantine list is generated.

To view the list of banned IPs:
# diagnose user banned-ip list
src-ip-addr       created                  expires                  cause
10.1.100.12       Tue Jul  5 18:01:05 2022 Tue Jul  5 18:21:05 2022 APP

After a reboot, the banned IP list is the same:

# diagnose user banned-ip list
src-ip-addr       created                  expires                  cause
10.1.100.12       Tue Jul  5 18:01:05 2022 Tue Jul  5 18:21:05 2022 APP

Example 2: keep only permanent banned IPs across power cycling

When banned-ip-persistency is set to permanent-only, only banned IPs with an indefinite expiry time are saved after a reboot. The permanent IP ban was already configured for 10.1.100.11 using diagnose user banned-ip add src4 10.1.100.11 0 ips.

To view the list of banned IPs:
# diagnose user banned-ip list
src-ip-addr       created                  expires                  cause
10.1.100.12       Tue Jul  5 18:01:05 2022 Tue Jul  5 18:21:05 2022 APP
10.1.100.11       Tue Jul  5 18:06:35 2022 indefinite               IPS

After a reboot, only 10.1.100.11 remains in the banned IP list:

# diagnose user banned-ip list
src-ip-addr       created                  expires                  cause
10.1.100.11       Tue Jul  5 18:06:35 2022 indefinite               IPS