Configuring Intrusion Detection
FortiRecorder features an intrusion detection mechanism to block IP addresses if failed login attempts from that IP address reach the threshold.
The blocking duration is based on the login history of the IP address. The more the IP address has been blocked in the past, the longer the IP address will remain blocked. The maximum time an IP address can be blocked is 45 days.
As an example, if you set the initial block period to 10 minutes, depending on the user’s number of violations, the actual maximum block time can be up to 2 hours. If you set it to 30 minutes, the block time can be up to 12 hours. To avoid false positives, avoid using a longer initial block time setting. The recommended setting is less than 30 minutes. The default setting is 10 minutes.
If a user has consecutive unsuccessful login attempts within a certain period of time, the user’s IP address is automatically added to an auto/dynamic exempt list.
To configure intrusion detection
- Go to Security > Intrusion Detection > Settings.
- Configure the following:
Setting Name
Description
Status
Select Enable, Disable, or Monitor only.
Access tracking
Enable or disable what types of login access is tracked: CLI or Web.CLI is the access via SSH and Web is the admin and webmail access via HTTP(S).
Initial block period
Specify how long the IP address will be blocked after its failed login attempts reach the threshold for the first time. The actual block time will be increased for repeated offenders.
- Select Apply.
To manually exempt IP addresses from authentication reputation tracking
- Go to Security > Intrusion Detection > Exempt IP.
- Select New.
- Enter the IP address and netmask.
- Select Create.
To remove IPs from the auto exempt list
- Go to Security > Intrusion Detection > Auto Exempt IP.
- Select the desired IP address.
- Select the delete button.