FAQ
How to troubleshoot IP Reputation false positives/false negatives?
We generally follow below process to troubleshoot:
1) Check if the IP reputation database (IRDB) is upgraded to the latest.
Please check via System > Config > Fortiguard > License information > IP Reputation.
2) If the IRDB is the latest, use below shell cmd on FortiWeb to check if the IP could match the IRDB on the device.
FortiWeb # fn sh
~# bonet_test /var/log/irdb_sig.db 1.1.1.1
ip count = 139727, all types[botnetv1|botnet|proxy|phishing|spam|tor|others]
CategoryIdName 1 Botnet
CategoryIdName 2 Anonymous Proxy
CategoryIdName 3 Phishing
CategoryIdName 4 Spam
CategoryIdName 5 Others
CategoryIdName 6 Tor
IP unmatch in irdb.
3) If the cmd shows unmatch, then FortiWeb needs to notify the IRDB team to check if this IP needs to be added to IRDB in the next version.
4) If the cmd shows matched, then maybe IRDB was disabled by other modules.
How to troubleshoot GEO IP false positives/false negatives?
Follow below process to troubleshoot:
1) Check if the GEO DB is upgraded to the latest.
Please check via System > Config > Fortiguard > License information > GEO DB.
2) If GEO DB is upgraded to the latest, then FortiWeb needs to notify the GEODB team to check if this IP needs to be modified for the next GEODB release.
Why are GEO-IP locations different from FortiGuard?
GEO-IP on FortiWeb is updated twice a month. However, FortiGuard is updated in real time.