Fortinet black logo

User Guide

IP Protection

Copy Link
Copy Doc ID 8d4237ec-c163-11ee-8c42-fa163e15d75b:199367
Download PDF

IP Protection

You can block requests from clients based upon their source IP address directly, their current reputation known to FortiGuard, or which country or region the IP address is associated with.

Conversely, you can also exempt clients from scans typically included by the policy.

To configure IP Protection, you must have already enabled this module in Add Modules. See How to add or remove a module.

IP reputation

To block the following attacks, you can configure FortiWeb Cloud to block client access based on up-to-date threat intelligence.

  • botnets
  • spammers
  • phishers
  • malicious spiders/crawlers
  • virus-infected clients
  • clients using anonymizing proxies
  • DDoS participants

IP reputation leverages many techniques for accurate, early, and frequently updated identification of compromised and malicious clients so you can block attackers before they target your servers. Data about dangerous clients derives from many sources around the globe, including:

  • FortiGuard service statistics
  • honeypots
  • botnet forensic analysis
  • anonymizing proxies
  • 3rd party sources in the security community

From these sources, Fortinet compiles a reputation for each public IP address. Clients will have poor reputations if they have been participating in attacks, willingly or otherwise. Because blocking innocent clients is equally undesirable, Fortinet also restores the reputations of clients that have improved their behaviors. This is crucial when an infected computer is cleaned, or in DHCP or PPPoE pools where an innocent client receives an IP address that was previously leased by an attacker.

Check whether an IP address is malicious through FortiGuard IP Web Application Security Service: https://www.fortiguard.com/services/ws.

If you believe an IP address is wrongly classified as a malicious IP, you can report it here: https://www.fortiguard.com/faq/contact-web-security.

Go to ACCESS RULES > IP Protection to enable IP Reputation.

Geo IP Block

To configure blocking by geography, select one or more geographical regions that you want to block from the Country list, then click the right arrow or double click the countries to move them to the Selected Country list on the right.

In addition to countries, the Country list also includes distinct territories within a country, such as Puerto Rico, and regions that are not associated with any country, such as Antarctica.

The action taken for the GEO IP violations is Period Block (600 seconds).

IP list

You can define which source IP addresses are trusted or distrusted clients, or allowed ones.

In IP List section, configure these settings.

IP List Input

There are two ways of adding IP list:

  • Manually input IP/IP range one by one

  • Type the client’s source IP address, then click Add to add more.

    You can enter either a single IP address or a range of addresses (for example, 172.22.14.1-172.22.14.255 or 10:200::10:1-10:200:10:100). Each entry should contain only one IP address or IP range. Both IPv4 and IPv6 addresses are supported only on AWS platform currently.

    Note: A maximum number of 30,000 IPs/IP Ranges is supported, 10,000 for each IP/IP Range type.

  • Upload a CSV file to add IPs in batch

  • Click Upload CSV to import a CSV file that contains multiple IPs.
    The type should be one of "BLOCK", "ALLOW","TRUST" .

    Use the following format for each IP/IP range (enter one IP/IP range per line) in the CSV file:
    BLOCK,<IP Address>
    ALLOW,<IP Address>
    TRUST,<IP Address>-<IP Address>

Type

  • Block IP—The source IP address that is distrusted, and is permanently blocked from accessing your web servers, even if it would normally pass all other scans.

    Note: If multiple clients share the same source IP address, such as when a group of clients is behind a firewall or router performing network address translation (NAT), blocking the source IP address could block innocent clients that share the same source IP address with an offending client.

  • Trust IP—The source IP address is trusted and allowed to access your web servers, bypassing any further scanning by subsequent security modules.

By default, if the IP address of a request is neither in the Block IP nor Trust IP list, FortiWeb Cloud will pass this request to other scans to decide whether it is allowed to access your web servers. However, you can define the Allow Only list so that such requests can be screened against this list before it's passed to other scans.

  • Allow Only—If the source IP address is in the Allow Only list, it will be passed to other scans to decide whether it's allowed to access your web servers. If not, it will be blocked.
    If this list is empty, then the source IP addresses which are not in the Block IP and Trust IP list will be passed directly to other scans.

The scan sequence for processing IP addresses is as follows: Block IP > Trust IP > Allow Only. For example, if an IP address is present in the Block IP list, the system will block it immediately without proceeding to scan against the Trust IP and Allow Only IP lists.

In other words, if an IP address appears in multiple IP lists, it will be processed only against the list which is scanned first. For example, if you wish to trust an IP range but block specific IP addresses within that range, then you can add those IP addresses to the Block IP list and the IP range in the Trust IP list. This approach will allow the IP range to be trusted while the specified IP addresses are blocked, since the Block IP list is scanned first.

Requests that are blocked according to the IP Protection lists will receive a warning message as the HTTP response. The warning message page includes ID: 70007, which is the ID of all attack log messages about requests from blocked IPs.

Click SAVE.

If you have enabled Use X-Header to Identify Original Clients' IP in Rewriting Requests, the IP address in the header will be identified as the client IP and be scanned by IP Protection.

IP Protection

You can block requests from clients based upon their source IP address directly, their current reputation known to FortiGuard, or which country or region the IP address is associated with.

Conversely, you can also exempt clients from scans typically included by the policy.

To configure IP Protection, you must have already enabled this module in Add Modules. See How to add or remove a module.

IP reputation

To block the following attacks, you can configure FortiWeb Cloud to block client access based on up-to-date threat intelligence.

  • botnets
  • spammers
  • phishers
  • malicious spiders/crawlers
  • virus-infected clients
  • clients using anonymizing proxies
  • DDoS participants

IP reputation leverages many techniques for accurate, early, and frequently updated identification of compromised and malicious clients so you can block attackers before they target your servers. Data about dangerous clients derives from many sources around the globe, including:

  • FortiGuard service statistics
  • honeypots
  • botnet forensic analysis
  • anonymizing proxies
  • 3rd party sources in the security community

From these sources, Fortinet compiles a reputation for each public IP address. Clients will have poor reputations if they have been participating in attacks, willingly or otherwise. Because blocking innocent clients is equally undesirable, Fortinet also restores the reputations of clients that have improved their behaviors. This is crucial when an infected computer is cleaned, or in DHCP or PPPoE pools where an innocent client receives an IP address that was previously leased by an attacker.

Check whether an IP address is malicious through FortiGuard IP Web Application Security Service: https://www.fortiguard.com/services/ws.

If you believe an IP address is wrongly classified as a malicious IP, you can report it here: https://www.fortiguard.com/faq/contact-web-security.

Go to ACCESS RULES > IP Protection to enable IP Reputation.

Geo IP Block

To configure blocking by geography, select one or more geographical regions that you want to block from the Country list, then click the right arrow or double click the countries to move them to the Selected Country list on the right.

In addition to countries, the Country list also includes distinct territories within a country, such as Puerto Rico, and regions that are not associated with any country, such as Antarctica.

The action taken for the GEO IP violations is Period Block (600 seconds).

IP list

You can define which source IP addresses are trusted or distrusted clients, or allowed ones.

In IP List section, configure these settings.

IP List Input

There are two ways of adding IP list:

  • Manually input IP/IP range one by one

  • Type the client’s source IP address, then click Add to add more.

    You can enter either a single IP address or a range of addresses (for example, 172.22.14.1-172.22.14.255 or 10:200::10:1-10:200:10:100). Each entry should contain only one IP address or IP range. Both IPv4 and IPv6 addresses are supported only on AWS platform currently.

    Note: A maximum number of 30,000 IPs/IP Ranges is supported, 10,000 for each IP/IP Range type.

  • Upload a CSV file to add IPs in batch

  • Click Upload CSV to import a CSV file that contains multiple IPs.
    The type should be one of "BLOCK", "ALLOW","TRUST" .

    Use the following format for each IP/IP range (enter one IP/IP range per line) in the CSV file:
    BLOCK,<IP Address>
    ALLOW,<IP Address>
    TRUST,<IP Address>-<IP Address>

Type

  • Block IP—The source IP address that is distrusted, and is permanently blocked from accessing your web servers, even if it would normally pass all other scans.

    Note: If multiple clients share the same source IP address, such as when a group of clients is behind a firewall or router performing network address translation (NAT), blocking the source IP address could block innocent clients that share the same source IP address with an offending client.

  • Trust IP—The source IP address is trusted and allowed to access your web servers, bypassing any further scanning by subsequent security modules.

By default, if the IP address of a request is neither in the Block IP nor Trust IP list, FortiWeb Cloud will pass this request to other scans to decide whether it is allowed to access your web servers. However, you can define the Allow Only list so that such requests can be screened against this list before it's passed to other scans.

  • Allow Only—If the source IP address is in the Allow Only list, it will be passed to other scans to decide whether it's allowed to access your web servers. If not, it will be blocked.
    If this list is empty, then the source IP addresses which are not in the Block IP and Trust IP list will be passed directly to other scans.

The scan sequence for processing IP addresses is as follows: Block IP > Trust IP > Allow Only. For example, if an IP address is present in the Block IP list, the system will block it immediately without proceeding to scan against the Trust IP and Allow Only IP lists.

In other words, if an IP address appears in multiple IP lists, it will be processed only against the list which is scanned first. For example, if you wish to trust an IP range but block specific IP addresses within that range, then you can add those IP addresses to the Block IP list and the IP range in the Trust IP list. This approach will allow the IP range to be trusted while the specified IP addresses are blocked, since the Block IP list is scanned first.

Requests that are blocked according to the IP Protection lists will receive a warning message as the HTTP response. The warning message page includes ID: 70007, which is the ID of all attack log messages about requests from blocked IPs.

Click SAVE.

If you have enabled Use X-Header to Identify Original Clients' IP in Rewriting Requests, the IP address in the header will be identified as the client IP and be scanned by IP Protection.