waf ip-intelligence
Use this command to configure reputation-based source IP blacklisting.
Clients with suspicious behaviors or poor reputations include spammers, phishers, botnets, and anonymizing proxy users. If you have purchased a subscription for the FortiGuard IP Reputation service, your FortiWeb can periodically download an updated blacklist to keep your appliance current with changes in dynamic IPs, spreading virus infections, and spammers changing service providers.
IP intelligence settings apply globally, to all policies that use this feature.
Before or after using this command, use waf ip-intelligence-exception to configure any exemptions that you want to apply. To apply IP reputation-based blocking, configuring these category settings first, then enable ip-intelligence {enable | disable} in the server policy’s protection profile.
Alternatively, you can block sets of many clients based upon their geographical origin (see waf geo-block-list) or manually by specific IPs (see server-policy custom-application application-policy).
To use this command, your administrator account’s access control profile must have either w
or rw
permission to the wafgrp
area. For details, see Permissions.
Syntax
config waf ip-intelligence
edit <entry_index>
set action {alert | alert_deny | redirect | send_403_forbidden | block-period | deny_no_log}
set block-period <seconds_int>
set category "<category_name>"
set severity {Low | Medium | High | Info}
set trigger "<trigger-policy_name>"
next
end
Variable | Description | Default |
Enter the index number of the individual entry in the table entry in the table. | No default. | |
action {alert | alert_deny | redirect | send_403_forbidden | block-period | deny_no_log} |
Select one of the following actions that the FortiWeb appliance performs when a client’s source IP matches the blacklist category:
Caution: FortiWeb ignores this setting when monitor-mode {enable | disable} is enabled. Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail. Note: If you select an auto-learning profile with this rule, you should select |
alert
|
Enter the number of seconds to block the source IP. The valid range is 0–3,600. This setting applies only if action {alert | alert_deny | redirect | send_403_forbidden | block-period | deny_no_log} is block-period. |
60
|
|
Enter the name of an existing IP intelligence category, such as Category names vary by the version number of your FortiGuard IRIS package. |
||
Enable to block clients whose source IP belongs to this category according to the FortiGuard IRIS service. |
enable
|
|
When rule violations are recorded in the attack log, each log message contains a Severity Level (
|
Low
|
|
Select which trigger, if any, that the FortiWeb appliance uses when it logs and/or sends an alert email about a blacklisted IP address’s attempt to connect to your web servers. For details, see log trigger-policy. The maximum length is 63 characters. To display the list of existing trigger policies, enter:
|
No default. |
Example
The following command blacklists clients whose source IPs are currently known by Fortinet to be members of a botnet. In the FortiGuard IRIS package for this example, “Botnet” is the first item in the list of categories.
When a botnet member makes a request, FortiWeb blocks the connection and continues to block it without re-evaluating it for the next 6 minutes (360 seconds). FortiWeb logs the event with a high severity level and sends notifications to the Syslog and email servers specified in notification-servers1
.
config waf ip-intelligence
edit 1
set status enable
set action period_block
set block-period 360
set severity High
set trigger-policy "notification-servers1"
next
end