You can block requests from clients based upon their source IP address directly
Conversely, you can also exempt clients from scans typically included by the policy.
To configure IP Protection, you must have already enabled this module in Add Modules. See How to add or remove a module.
To block the following attacks, you can configure FortiWeb Cloud to block client access based on up-to-date threat intelligence.
- malicious spiders/crawlers
- virus-infected clients
- clients using anonymizing proxies
- DDoS participants
IP reputation leverages many techniques for accurate, early, and frequently updated identification of compromised and malicious clients so you can block attackers before they target your servers. Data about dangerous clients derives from many sources around the globe, including:
- FortiGuard service statistics
- botnet forensic analysis
- anonymizing proxies
- 3rd party sources in the security community
From these sources, Fortinet compiles a reputation for each public IP address. Clients will have poor reputations if they have been participating in attacks, willingly or otherwise. Because blocking innocent clients is equally undesirable, Fortinet also restores the reputations of clients that have improved their behaviors. This is crucial when an infected computer is cleaned, or in DHCP or PPPoE pools where an innocent client receives an IP address that was previously leased by an attacker.
Go to ACCESS RULES > IP Protection to enable IP Reputation.
To configure blocking by geography, select one or more geographical regions that you want to block from the Country list, then click the right arrow or double click the countries to move them to the Selected Country list on the right.
In addition to countries, the Country list also includes distinct territories within a country, such as Puerto Rico, and regions that are not associated with any country, such as Antarctica.
You can define which source IP addresses are trusted or distrusted clients, or allowed ones.
In IP List section, configure these settings.
By default, if the IP address of a request is neither in the Block IP nor Trust IP list, FortiWeb Cloud will pass this request to other scans to decide whether it is allowed to access your web servers. However, you can define the Allow Only list so that such requests can be screened against this list before it's passed to other scans.
Requests that are blocked according to the IP Protection lists will receive a warning message as the HTTP response. The warning message page includes ID: 70007, which is the ID of all attack log messages about requests from blocked IPs.
Type the client’s source IP address.
You can enter either a single IP address or a range of addresses (for example, 172.22.14.1-172.22.14.255 or 10:200::10:1-10:200:10:100). Each entry should contain only one IP address or IP range. Both IPv4 and IPv6 addresses are supported only on AWS platform currently.
Note: A maximum number of 30,000 IPs/IP Ranges is supported, 10,000 for each IP/IP Range type.