Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 8.0.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    New Features

    8.0.0
    8.0.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    Dynamic BGP learning of ISDB reputation IPs

    Dynamic BGP learning of ISDB reputation IPs

    This information is also available in the FortiOS 8.0 Administration Guide:

    Dynamic BGP-based learning for Botnet and Spam ISDB categories is added, allowing FortiGate to automatically receive and advertise these IPs for more responsive, threat-aware routing.

    config router bgp
    config network
        edit <id>
            set internet-service-name {Botnet-C&C.Server | Spam-Spamming.Server}
        next
    end
end
    To test using the Botnet-C&C.Server internet service:

    1. Configure BGP:

      config router bgp
    set as 65412
    set router-id 2.2.2.2
    set network-import-check disable
    config neighbor
        edit "3.3.3.3"
            set advertisement-interval 5
            set capability-graceful-restart enable
            set ebgp-enforce-multihop enable
            set next-hop-self enable
            set soft-reconfiguration enable
            set remote-as 65412
            set route-map-out "as-prepend"
            set keep-alive-timer 30
            set holdtime-timer 90
            set update-source "loopback1"
        next
    end
    config network
        edit 1
            set prefix 172.28.1.0 255.255.255.0
        next
        edit 2
            set prefix 172.28.2.0 255.255.255.0
        next
        edit 3
            set prefix 172.25.1.0 255.255.255.0
        next
        edit 4
            set internet-service-name "Botnet-C&C.Server"
        next
    end
    config network6
        edit 1
            set prefix6 2000:172:27:1::/64
        next
    end
end

    2. Check the internet service ID:

      # diagnose internet-service id 3080383
...
222.158.197.138-222.158.197.138 country(392) region(65535) city(65535) blocklist(0x1) reputation(1), popularity(1) domain(0) botnet(7630624) proto(6) port(80)
222.165.194.68-222.165.194.68 country(360) region(65535) city(65535) blocklist(0x1) reputation(1), popularity(1) domain(0) botnet(7630624) proto(6) port(50486)
222.165.205.154-222.165.205.154 country(360) region(65535) city(65535) blocklist(0x1) reputation(1), popularity(1) domain(0) botnet(7630624) proto(6) port(8089)
222.173.92.154-222.173.92.154 country(156) region(65535) city(65535) blocklist(0x1) reputation(1), popularity(1) domain(0) botnet(7630624) proto(6) port(32075)
222.191.243.187-222.191.243.187 country(156) region(65535) city(65535) blocklist(0x1) reputation(1), popularity(1) domain(0) botnet(7630624) proto(6) port(45730)
222.211.72.29-222.211.72.29 country(156) region(65535) city(65535) blocklist(0x1) reputation(1), popularity(1) domain(0) botnet(7630020) proto(6) port(80)
222.217.68.17-222.217.68.17 country(156) region(65535) city(65535) blocklist(0x1) reputation(1), popularity(1) domain(0) botnet(7630624) proto(6) port(35165)
222.252.23.5-222.252.23.5 country(704) region(65535) city(65535) blocklist(0x1) reputation(1), popularity(1) domain(0) botnet(7630624) proto(6) port(8080)
223.100.166.3-223.100.166.3 country(156) region(65535) city(65535) blocklist(0x1) reputation(1), popularity(1) domain(0) botnet(7630624) proto(6) port(49247)
223.165.243.209-223.165.243.209 country(410) region(65535) city(65535) blocklist(0x1) reputation(1), popularity(1) domain(0) botnet(7630624) proto(6) port(47205)

    3. On the BGP peer, check the networks/subnets of this internet service:

      # get router info routing-table bgp
...
B       221.194.47.218/32 [200/0] via 2.2.2.2 (recursive via 172.16.200.2, port1), 00:00:15, [1/0]
B       221.229.204.124/32 [200/0] via 2.2.2.2 (recursive via 172.16.200.2, port1), 00:00:15, [1/0]
B       222.129.33.141/32 [200/0] via 2.2.2.2 (recursive via 172.16.200.2, port1), 00:00:15, [1/0]
B       222.129.35.9/32 [200/0] via 2.2.2.2 (recursive via 172.16.200.2, port1), 00:00:15, [1/0]
B       222.158.197.138/32 [200/0] via 2.2.2.2 (recursive via 172.16.200.2, port1), 00:00:15, [1/0]
B       222.165.194.68/32 [200/0] via 2.2.2.2 (recursive via 172.16.200.2, port1), 00:00:15, [1/0]
B       222.165.205.154/32 [200/0] via 2.2.2.2 (recursive via 172.16.200.2, port1), 00:00:15, [1/0]
B       222.173.92.154/32 [200/0] via 2.2.2.2 (recursive via 172.16.200.2, port1), 00:00:15, [1/0]
B       222.191.243.187/32 [200/0] via 2.2.2.2 (recursive via 172.16.200.2, port1), 00:00:15, [1/0]
B       222.211.72.29/32 [200/0] via 2.2.2.2 (recursive via 172.16.200.2, port1), 00:00:15, [1/0]
B       222.217.68.17/32 [200/0] via 2.2.2.2 (recursive via 172.16.200.2, port1), 00:00:15, [1/0]
B       222.252.23.5/32 [200/0] via 2.2.2.2 (recursive via 172.16.200.2, port1), 00:00:15, [1/0]
B       223.100.166.3/32 [200/0] via 2.2.2.2 (recursive via 172.16.200.2, port1), 00:00:15, [1/0]
B       223.165.243.209/32 [200/0] via 2.2.2.2 (recursive via 172.16.200.2, port1), 00:00:14, [1/0]
    Previous
    Next

    Dynamic BGP learning of ISDB reputation IPs

    Dynamic BGP learning of ISDB reputation IPs

    This information is also available in the FortiOS 8.0 Administration Guide:

    Dynamic BGP-based learning for Botnet and Spam ISDB categories is added, allowing FortiGate to automatically receive and advertise these IPs for more responsive, threat-aware routing.

    config router bgp
    config network
        edit <id>
            set internet-service-name {Botnet-C&C.Server | Spam-Spamming.Server}
        next
    end
end
    To test using the Botnet-C&C.Server internet service:

    1. Configure BGP:

      config router bgp
    set as 65412
    set router-id 2.2.2.2
    set network-import-check disable
    config neighbor
        edit "3.3.3.3"
            set advertisement-interval 5
            set capability-graceful-restart enable
            set ebgp-enforce-multihop enable
            set next-hop-self enable
            set soft-reconfiguration enable
            set remote-as 65412
            set route-map-out "as-prepend"
            set keep-alive-timer 30
            set holdtime-timer 90
            set update-source "loopback1"
        next
    end
    config network
        edit 1
            set prefix 172.28.1.0 255.255.255.0
        next
        edit 2
            set prefix 172.28.2.0 255.255.255.0
        next
        edit 3
            set prefix 172.25.1.0 255.255.255.0
        next
        edit 4
            set internet-service-name "Botnet-C&C.Server"
        next
    end
    config network6
        edit 1
            set prefix6 2000:172:27:1::/64
        next
    end
end

    2. Check the internet service ID:

      # diagnose internet-service id 3080383
...
222.158.197.138-222.158.197.138 country(392) region(65535) city(65535) blocklist(0x1) reputation(1), popularity(1) domain(0) botnet(7630624) proto(6) port(80)
222.165.194.68-222.165.194.68 country(360) region(65535) city(65535) blocklist(0x1) reputation(1), popularity(1) domain(0) botnet(7630624) proto(6) port(50486)
222.165.205.154-222.165.205.154 country(360) region(65535) city(65535) blocklist(0x1) reputation(1), popularity(1) domain(0) botnet(7630624) proto(6) port(8089)
222.173.92.154-222.173.92.154 country(156) region(65535) city(65535) blocklist(0x1) reputation(1), popularity(1) domain(0) botnet(7630624) proto(6) port(32075)
222.191.243.187-222.191.243.187 country(156) region(65535) city(65535) blocklist(0x1) reputation(1), popularity(1) domain(0) botnet(7630624) proto(6) port(45730)
222.211.72.29-222.211.72.29 country(156) region(65535) city(65535) blocklist(0x1) reputation(1), popularity(1) domain(0) botnet(7630020) proto(6) port(80)
222.217.68.17-222.217.68.17 country(156) region(65535) city(65535) blocklist(0x1) reputation(1), popularity(1) domain(0) botnet(7630624) proto(6) port(35165)
222.252.23.5-222.252.23.5 country(704) region(65535) city(65535) blocklist(0x1) reputation(1), popularity(1) domain(0) botnet(7630624) proto(6) port(8080)
223.100.166.3-223.100.166.3 country(156) region(65535) city(65535) blocklist(0x1) reputation(1), popularity(1) domain(0) botnet(7630624) proto(6) port(49247)
223.165.243.209-223.165.243.209 country(410) region(65535) city(65535) blocklist(0x1) reputation(1), popularity(1) domain(0) botnet(7630624) proto(6) port(47205)

    3. On the BGP peer, check the networks/subnets of this internet service:

      # get router info routing-table bgp
...
B       221.194.47.218/32 [200/0] via 2.2.2.2 (recursive via 172.16.200.2, port1), 00:00:15, [1/0]
B       221.229.204.124/32 [200/0] via 2.2.2.2 (recursive via 172.16.200.2, port1), 00:00:15, [1/0]
B       222.129.33.141/32 [200/0] via 2.2.2.2 (recursive via 172.16.200.2, port1), 00:00:15, [1/0]
B       222.129.35.9/32 [200/0] via 2.2.2.2 (recursive via 172.16.200.2, port1), 00:00:15, [1/0]
B       222.158.197.138/32 [200/0] via 2.2.2.2 (recursive via 172.16.200.2, port1), 00:00:15, [1/0]
B       222.165.194.68/32 [200/0] via 2.2.2.2 (recursive via 172.16.200.2, port1), 00:00:15, [1/0]
B       222.165.205.154/32 [200/0] via 2.2.2.2 (recursive via 172.16.200.2, port1), 00:00:15, [1/0]
B       222.173.92.154/32 [200/0] via 2.2.2.2 (recursive via 172.16.200.2, port1), 00:00:15, [1/0]
B       222.191.243.187/32 [200/0] via 2.2.2.2 (recursive via 172.16.200.2, port1), 00:00:15, [1/0]
B       222.211.72.29/32 [200/0] via 2.2.2.2 (recursive via 172.16.200.2, port1), 00:00:15, [1/0]
B       222.217.68.17/32 [200/0] via 2.2.2.2 (recursive via 172.16.200.2, port1), 00:00:15, [1/0]
B       222.252.23.5/32 [200/0] via 2.2.2.2 (recursive via 172.16.200.2, port1), 00:00:15, [1/0]
B       223.100.166.3/32 [200/0] via 2.2.2.2 (recursive via 172.16.200.2, port1), 00:00:15, [1/0]
B       223.165.243.209/32 [200/0] via 2.2.2.2 (recursive via 172.16.200.2, port1), 00:00:14, [1/0]
    Previous
    Next