How to troubleshoot IP Reputation false positives/false negatives?
We generally follow below process to troubleshoot:
1) Check if the IP reputation database (IRDB) is upgraded to the latest.
Please check via System > Config > Fortiguard > License information > IP Reputation.
2) If the IRDB is the latest, use below shell cmd on FortiWeb to check if the IP could match the IRDB on the device.
FortiWeb # fn sh
~# bonet_test /var/log/irdb_sig.db 188.8.131.52
ip count = 139727, all types[botnetv1|botnet|proxy|phishing|spam|tor|others]
CategoryIdName 1 Botnet
CategoryIdName 2 Anonymous Proxy
CategoryIdName 3 Phishing
CategoryIdName 4 Spam
CategoryIdName 5 Others
CategoryIdName 6 Tor
IP unmatch in irdb.
3) If the cmd shows unmatch, then FortiWeb needs to notify the IRDB team to check if this IP needs to be added to IRDB in the next version.
4) If the cmd shows matched, then maybe IRDB was disabled by other modules.
How to troubleshoot GEO IP false positives/false negatives?
Follow below process to troubleshoot:
1) Check if the GEO DB is upgraded to the latest.
Please check via System > Config > Fortiguard > License information > GEO DB.
2) If GEO DB is upgraded to the latest, then FortiWeb needs to notify the GEODB team to check if this IP needs to be modified for the next GEODB release.
Why are GEO-IP locations different from FortiGuard?
GEO-IP on FortiWeb is updated twice a month. However, FortiGuard is updated in real time.
How does “Action” of an IP List policy work with the matching Types “Trust IP”, “Block IP” and “Allow Only”?
The “Action” of an IP List policy can be configured as “Deny (no log)”, “Block Period” or “Alert & Deny”.
There are three types of IP lists:
● Block IP—The source IP address that is distrusted, and is permanently blocked from accessing your web servers, even if it would normally pass all other scans.
● Trust IP—The source IP address is trusted and allowed to access your web servers, unless it fails a previous scan. For details, see "Sequence of scans" in FortiWeb Administration Guide.
● Allow Only—If the source IP address is in the Allow Only range, it will be passed to other scans to decide whether it's allowed to access your web servers. If not, FortiWeb will take actions according to the trigger policy.
If no Allow Only is configured, then the source IP addresses which are neither in the Block IP nor Trust IP list will be passed directly to other scans.
The Action works as below when different IP List types are configured:
● For Trust IP, the Action actually will NOT take effect for the IP addresses matched;
● For Block IP & Allow Only, the Action will take effect accordingly for the IP addresses matched.