Fortinet white logo
Fortinet white logo

Administration Guide

Configuring authentication reputation

Configuring authentication reputation

FortiMail comes with an authentication mechanism to block IP addresses if failed login attempts from that IP address reach the threshold.

You can control access to FortiMail by access types:

  • CLI: access via SSH
  • Mail: mail access via SMTP(S), IMAP(S), POP3(S)
  • Web: admin and webmail access via HTTP(S)

The blocking duration is based on the login history of the IP address. The more the IP address has been blocked in the past, the longer the IP address will be blocked. The maximum time an IP address can be blocked is 45 days. For example, if you set the initial block period to 10 minutes, depending on the user’s number of violations, the actual maximum block time can be up to two hours. If you set it to 30 minutes, the actual block time can be up to 12 hours. If you set it to more than 70 minutes, the actual block time can be up to 45 days. Therefore, to avoid false positives, it is not recommended to use longer initial block time setting. The recommended setting is less than 30 minutes. The default setting is 10 minutes.

If a user has consecutive successful logins within a period of time, the user’s IP address will be automatically added to an auto/dynamic exempt list.

You can also manually exempt IP addresses from failed login attempt tracking and blocking.

To monitor the blocked IP address information, go to Monitor > Reputation > Authentication Reputation. See Viewing authentication reputation statuses.

To configure authentication reputation settings
  1. Go to Security > Authentication Reputation > Setting.
  2. Configuring the following:

GUI item

Description

Status

Select Enable, Disable, or Monitor only.

Monitor only means that failed login attempts will be counted and scored but will not be blocked.

Access Tracking

Enable or disable what types of login access will be tracked: CLI, Mail or Web.

Initial block period

Specify how long the IP address will be blocked after its failed login attempts reach the threshold for the first time. The actual block time will be increased for repeated offenders. See above for more descriptions.

To manually exempt IP addresses from authentication reputation tracking
  1. Go to Security > Authentication Reputation > Exempt.
  2. Click New.
  3. Enter the IP address and netmask.
  4. Click Create.
To manage the auto exempt list
  1. Go to Security > Authentication Reputation > Auto Exempt.
  2. The exempted IP addresses are displayed.
  3. To remove an IP address from the list, select the IP address and click Delete.

Configuring authentication reputation

Configuring authentication reputation

FortiMail comes with an authentication mechanism to block IP addresses if failed login attempts from that IP address reach the threshold.

You can control access to FortiMail by access types:

  • CLI: access via SSH
  • Mail: mail access via SMTP(S), IMAP(S), POP3(S)
  • Web: admin and webmail access via HTTP(S)

The blocking duration is based on the login history of the IP address. The more the IP address has been blocked in the past, the longer the IP address will be blocked. The maximum time an IP address can be blocked is 45 days. For example, if you set the initial block period to 10 minutes, depending on the user’s number of violations, the actual maximum block time can be up to two hours. If you set it to 30 minutes, the actual block time can be up to 12 hours. If you set it to more than 70 minutes, the actual block time can be up to 45 days. Therefore, to avoid false positives, it is not recommended to use longer initial block time setting. The recommended setting is less than 30 minutes. The default setting is 10 minutes.

If a user has consecutive successful logins within a period of time, the user’s IP address will be automatically added to an auto/dynamic exempt list.

You can also manually exempt IP addresses from failed login attempt tracking and blocking.

To monitor the blocked IP address information, go to Monitor > Reputation > Authentication Reputation. See Viewing authentication reputation statuses.

To configure authentication reputation settings
  1. Go to Security > Authentication Reputation > Setting.
  2. Configuring the following:

GUI item

Description

Status

Select Enable, Disable, or Monitor only.

Monitor only means that failed login attempts will be counted and scored but will not be blocked.

Access Tracking

Enable or disable what types of login access will be tracked: CLI, Mail or Web.

Initial block period

Specify how long the IP address will be blocked after its failed login attempts reach the threshold for the first time. The actual block time will be increased for repeated offenders. See above for more descriptions.

To manually exempt IP addresses from authentication reputation tracking
  1. Go to Security > Authentication Reputation > Exempt.
  2. Click New.
  3. Enter the IP address and netmask.
  4. Click Create.
To manage the auto exempt list
  1. Go to Security > Authentication Reputation > Auto Exempt.
  2. The exempted IP addresses are displayed.
  3. To remove an IP address from the list, select the IP address and click Delete.