Configuring intrusion detection
Intrusion attempt detection can block IP addresses if failed login attempts from that IP address reach the threshold.
The blocking duration is based on the history of the IP address. If IP address has been blocked in the past, then FortiRecorder will block the IP address for a longer time. The maximum time an IP address can be blocked is 45 days.
For example, if you set the initial block period to 10 minutes, depending on the user's number of violations, the actual maximum block time can be up to 2 hours. If you set it to 30 minutes, the block time can be up to 12 hours.
If a user has consecutive unsuccessful login attempts within a certain period of time, the user's IP address is automatically added to an automatic dynamic exempt list.
To configure intrusion detection
- Go to Security > Intrusion Detection > Settings.
-
Configure the following settings:
Setting Name
Description
Status
Select Enable, Disable, or Monitor only (log, but do not block).
Access tracking
Enable or disable what types of login access are tracked: CLI or Web.CLI is access via SSH or Telnet; Web is GUI access via HTTP(S).
Initial block period
Specify how long the IP address will be blocked after its failed login attempts reach the threshold for the first time. The actual block time will be increased for repeated offenders.
The default setting is 10 minutes.
Tip: To avoid false positives, avoid using a longer initial block time setting. The recommended setting is less than 30 minutes.
- Click Apply.
To manually exempt IP addresses from authentication reputation tracking
- Go to Security > Intrusion Detection > Exempt IP.
- Click New.
- Enter the IP address and netmask.
- Click Create.
To remove IP addresses from the auto exempt list
- Go to Security > Intrusion Detection > Auto Exempt IP.
- Select the IP address.
- Click Delete.