Fortinet white logo
Fortinet white logo

Administration Guide

FAQ

FAQ

How to troubleshoot IP Reputation false positives/false negatives?

We generally follow below process to troubleshoot:

1) Check if the IP reputation database (IRDB) is upgraded to the latest.

Please check via System > Config > Fortiguard > License information > IP Reputation.

2) If the IRDB is the latest, use below shell cmd on FortiWeb to check if the IP could match the IRDB on the device.

FortiWeb # fn sh

~# bonet_test /var/log/irdb_sig.db 1.1.1.1

ip count = 139727, all types[botnetv1|botnet|proxy|phishing|spam|tor|others]

CategoryIdName 1 Botnet

CategoryIdName 2 Anonymous Proxy

CategoryIdName 3 Phishing

CategoryIdName 4 Spam

CategoryIdName 5 Others

CategoryIdName 6 Tor

IP unmatch in irdb.

3) If the cmd shows unmatch, then FortiWeb needs to notify the IRDB team to check if this IP needs to be added to IRDB in the next version.

4) If the cmd shows matched, then maybe IRDB was disabled by other modules.

How to troubleshoot GEO IP false positives/false negatives?

Follow below process to troubleshoot:

1) Check if the GEO DB is upgraded to the latest.

Please check via System > Config > Fortiguard > License information > GEO DB.

2) If GEO DB is upgraded to the latest, then FortiWeb needs to notify the GEODB team to check if this IP needs to be modified for the next GEODB release.

Why are GEO-IP locations different from FortiGuard?

GEO-IP on FortiWeb is updated twice a month. However, FortiGuard is updated in real time.

FAQ

FAQ

How to troubleshoot IP Reputation false positives/false negatives?

We generally follow below process to troubleshoot:

1) Check if the IP reputation database (IRDB) is upgraded to the latest.

Please check via System > Config > Fortiguard > License information > IP Reputation.

2) If the IRDB is the latest, use below shell cmd on FortiWeb to check if the IP could match the IRDB on the device.

FortiWeb # fn sh

~# bonet_test /var/log/irdb_sig.db 1.1.1.1

ip count = 139727, all types[botnetv1|botnet|proxy|phishing|spam|tor|others]

CategoryIdName 1 Botnet

CategoryIdName 2 Anonymous Proxy

CategoryIdName 3 Phishing

CategoryIdName 4 Spam

CategoryIdName 5 Others

CategoryIdName 6 Tor

IP unmatch in irdb.

3) If the cmd shows unmatch, then FortiWeb needs to notify the IRDB team to check if this IP needs to be added to IRDB in the next version.

4) If the cmd shows matched, then maybe IRDB was disabled by other modules.

How to troubleshoot GEO IP false positives/false negatives?

Follow below process to troubleshoot:

1) Check if the GEO DB is upgraded to the latest.

Please check via System > Config > Fortiguard > License information > GEO DB.

2) If GEO DB is upgraded to the latest, then FortiWeb needs to notify the GEODB team to check if this IP needs to be modified for the next GEODB release.

Why are GEO-IP locations different from FortiGuard?

GEO-IP on FortiWeb is updated twice a month. However, FortiGuard is updated in real time.