Use this command to define which source IP addresses are trusted clients, undetermined, or distrusted.
- Trusted IPs—Almost always allowed to access to your protected web servers. Trusted IPs are exempt from many (but not all) of the restrictions that would otherwise be applied by a server policy. To determine skipped scans, see debug flow trace.
- Neither—If a source IP address is neither explicitly blacklisted or trusted by an IP list policy, the client can access your web servers, unless it is blocked by any of your other configured, subsequent web protection scan techniques. For details, see debug flow trace.
- Blacklisted IPs—Blocked and prevented from accessing your protected web servers. Requests from blacklisted IP addresses receive a warning message in response. The warning message page includes ID: 70007, which is the ID of all attack log messages about requests from blacklisted IPs.
|Because FortiWeb evaluates trusted and blacklisted IP policies before many other techniques, defining these IP addresses can improve performance.
To use this command, your administrator account’s access control profile must have either
rw permission to the
wafgrp area. For details, see Permissions.
config waf ip-list
set ip "<client_ip>"
Enter the name of a new or existing rule. The maximum length is 63 characters.
To display the list of existing rules, enter:
|Enter the index number of the individual entry in the table entry in the table. The valid range is 1–9,999,999,999,999,999,999.
Enter one of the following values:
By default, if the IP address of a request is neither in the Block IP nor Trust IP list, FortiWeb will pass this request to other scans to decide whether it is allowed to access your web servers. However, you can define the
Requests that are blocked according to the IP Lists will receive a warning message as the HTTP response. The warning message page includes ID: 70007, which is the ID of all attack log messages about requests from blocked IPs.
When rule violations are recorded in the attack log, each log message contains a Severity Level (
Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a blacklisted IP address’s attempt to connect to your web servers. The maximum length is 63 characters. For details, see log trigger-policy.
To display the list of existing trigger policies, enter:
The following shows the configuration for a trusted host of
192.0.2.0 followed by a blacklisted client of
config waf ip-list
set ip "192.0.2.0"
set type black-ip
set ip "192.0.2.1"
set severity Medium
set trigger-policy "TriggerActionPolicy1"