Fortinet Document Library

Version:


Table of Contents

User Guide

Download PDF
Copy Link

IP Protection

You can block requests from clients based upon their source IP address directly, their current reputation known to FortiGuard, or which country or region the IP address is associated with.

Conversely, you can also exempt clients from scans typically included by the policy.

To configure IP Protection, you must have already enabled this module in Add Modules. See How to add or remove a module.

IP reputation

To block the following attacks, you can configure FortiWeb Cloud to block client access based on up-to-date threat intelligence.

  • botnets
  • spammers
  • phishers
  • malicious spiders/crawlers
  • virus-infected clients
  • clients using anonymizing proxies
  • DDoS participants

IP reputation leverages many techniques for accurate, early, and frequently updated identification of compromised and malicious clients so you can block attackers before they target your servers. Data about dangerous clients derives from many sources around the globe, including:

  • FortiGuard service statistics
  • honeypots
  • botnet forensic analysis
  • anonymizing proxies
  • 3rd party sources in the security community

From these sources, Fortinet compiles a reputation for each public IP address. Clients will have poor reputations if they have been participating in attacks, willingly or otherwise. Because blocking innocent clients is equally undesirable, Fortinet also restores the reputations of clients that have improved their behaviors. This is crucial when an infected computer is cleaned, or in DHCP or PPPoE pools where an innocent client receives an IP address that was previously leased by an attacker.

Go to ACCESS RULES > IP Protection to enable IP Reputation.

Geo IP Block

To configure blocking by geography, select one or more geographical regions that you want to block from the Country list, then click the right arrow or double click the countries to move them to the Selected Country list on the right.

In addition to countries, the Country list also includes distinct territories within a country, such as Puerto Rico, and regions that are not associated with any country, such as Antarctica.

IP list

You can define which source IP addresses are trusted or distrusted clients, or allowed ones.

In IP List section, configure these settings.

Type

  • Block IP—The source IP address that is distrusted, and is permanently blocked from accessing your web servers, even if it would normally pass all other scans.

    Note: If multiple clients share the same source IP address, such as when a group of clients is behind a firewall or router performing network address translation (NAT), blocking the source IP address could block innocent clients that share the same source IP address with an offending client.

  • Trust IP—The source IP address is trusted and allowed to access your web servers, without being processed with the security rules.

By default, if the IP address of a request is neither in the Block IP nor Trust IP list, FortiWeb Cloud will pass this request to other scans to decide whether it is allowed to access your web servers. However, you can define the Allow Only list so that such requests can be screened against this list before it's passed to other scans.

  • Allow Only—If the source IP address is in the Allow Only list, it will be passed to other scans to decide whether it's allowed to access your web servers. If not, it will be blocked.
    If this list is empty, then the source IP addresses which are not in the Block IP and Trust IP list will be passed directly to other scans.

Requests that are blocked according to the IP Protection lists will receive a warning message as the HTTP response. The warning message page includes ID: 70007, which is the ID of all attack log messages about requests from blocked IPs.

IP/IP Range

Type the client’s source IP address.

You can enter either a single IP address or a range of addresses (for example, 172.22.14.1-172.22.14.255 or 10:200::10:1-10:200:10:100). Each entry should contain only one IP address or IP range. Both IPv4 and IPv6 addresses are supported only on AWS platform currently.

Note: A maximum number of 30,000 IPs/IP Ranges is supported, 10,000 for each IP/IP Range type.

Click SAVE.

IP Protection

You can block requests from clients based upon their source IP address directly, their current reputation known to FortiGuard, or which country or region the IP address is associated with.

Conversely, you can also exempt clients from scans typically included by the policy.

To configure IP Protection, you must have already enabled this module in Add Modules. See How to add or remove a module.

IP reputation

To block the following attacks, you can configure FortiWeb Cloud to block client access based on up-to-date threat intelligence.

  • botnets
  • spammers
  • phishers
  • malicious spiders/crawlers
  • virus-infected clients
  • clients using anonymizing proxies
  • DDoS participants

IP reputation leverages many techniques for accurate, early, and frequently updated identification of compromised and malicious clients so you can block attackers before they target your servers. Data about dangerous clients derives from many sources around the globe, including:

  • FortiGuard service statistics
  • honeypots
  • botnet forensic analysis
  • anonymizing proxies
  • 3rd party sources in the security community

From these sources, Fortinet compiles a reputation for each public IP address. Clients will have poor reputations if they have been participating in attacks, willingly or otherwise. Because blocking innocent clients is equally undesirable, Fortinet also restores the reputations of clients that have improved their behaviors. This is crucial when an infected computer is cleaned, or in DHCP or PPPoE pools where an innocent client receives an IP address that was previously leased by an attacker.

Go to ACCESS RULES > IP Protection to enable IP Reputation.

Geo IP Block

To configure blocking by geography, select one or more geographical regions that you want to block from the Country list, then click the right arrow or double click the countries to move them to the Selected Country list on the right.

In addition to countries, the Country list also includes distinct territories within a country, such as Puerto Rico, and regions that are not associated with any country, such as Antarctica.

IP list

You can define which source IP addresses are trusted or distrusted clients, or allowed ones.

In IP List section, configure these settings.

Type

  • Block IP—The source IP address that is distrusted, and is permanently blocked from accessing your web servers, even if it would normally pass all other scans.

    Note: If multiple clients share the same source IP address, such as when a group of clients is behind a firewall or router performing network address translation (NAT), blocking the source IP address could block innocent clients that share the same source IP address with an offending client.

  • Trust IP—The source IP address is trusted and allowed to access your web servers, without being processed with the security rules.

By default, if the IP address of a request is neither in the Block IP nor Trust IP list, FortiWeb Cloud will pass this request to other scans to decide whether it is allowed to access your web servers. However, you can define the Allow Only list so that such requests can be screened against this list before it's passed to other scans.

  • Allow Only—If the source IP address is in the Allow Only list, it will be passed to other scans to decide whether it's allowed to access your web servers. If not, it will be blocked.
    If this list is empty, then the source IP addresses which are not in the Block IP and Trust IP list will be passed directly to other scans.

Requests that are blocked according to the IP Protection lists will receive a warning message as the HTTP response. The warning message page includes ID: 70007, which is the ID of all attack log messages about requests from blocked IPs.

IP/IP Range

Type the client’s source IP address.

You can enter either a single IP address or a range of addresses (for example, 172.22.14.1-172.22.14.255 or 10:200::10:1-10:200:10:100). Each entry should contain only one IP address or IP range. Both IPv4 and IPv6 addresses are supported only on AWS platform currently.

Note: A maximum number of 30,000 IPs/IP Ranges is supported, 10,000 for each IP/IP Range type.

Click SAVE.