waf ip-intelligence

Use this command to configure reputation-based source IP blacklisting.

Clients with suspicious behaviors or poor reputations include spammers, phishers, botnets, and anonymizing proxy users. If you have purchased a subscription for the FortiGuard IP Reputation service, your FortiWeb can periodically download an updated blacklist to keep your appliance current with changes in dynamic IPs, spreading virus infections, and spammers changing service providers.

IP intelligence settings apply globally, to all policies that use this feature.

Before or after using this command, use waf ip-intelligence-exception to configure any exemptions that you want to apply. To apply IP reputation-based blocking, configuring these category settings first, then enable ip-intelligence {enable | disable} in the server policy’s protection profile.

Alternatively, you can block sets of many clients based upon their geographical origin (see waf geo-block-list) or manually by specific IPs (see server-policy custom-application application-policy).

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf ip-intelligence

edit <entry_index>

set action {alert | alert_deny | redirect | send_403_forbidden | block-period | deny_no_log}

set block-period <seconds_int>

set category "<category_name>"

set severity {Low | Medium | High | Info}

set status {enable | disable}

set trigger "<trigger-policy_name>"

set ignore-x-forwarded-for {enable | disable}

end

Variable	Description	Default
<entry_index>	Enter the index number of the individual entry in the table entry in the table.	No default.
action {alert \| alert_deny \| redirect \| send_403_forbidden \| block-period \| deny_no_log}	Select one of the following actions that the FortiWeb appliance performs when a client’s source IP matches the blacklist category: `alert`—Accept the request and generate an alert email and/or log message. `alert_deny`—Block the request (or reset the connection) and generate an alert email and/or log message. You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg. `block-period`—Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>. `redirect`—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. Also configure redirect-url "<redirect_fqdn>" and rdt-reason {enable \| disable}. `send_403_forbidden`—Reply to the client with an HTTP `403 Access Forbidden` error message and generate an alert email and/or log message. `deny_no_log`—Deny a request. Do not generate a log message. Caution: FortiWeb ignores this setting when monitor-mode {enable \| disable} is enabled. Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail. Note: If you select an auto-learning profile with this rule, you should select `alert`. If the `action` is `alert_deny`, for example, the FortiWeb appliance will block the request or reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For details about auto-learning requirements, see waf web-protection-profile autolearning-profile.	`block-period`
block-period <seconds_int>	Enter the number of seconds to block the source IP. The valid range is 1–3,600 seconds. This setting applies only if action {alert \| alert_deny \| redirect \| send_403_forbidden \| block-period \| deny_no_log} is block-period.	`60`
category "<category_name>"	Enter the name of an existing IP intelligence category, such as `"Anonymous Proxy"` or `Botnet`. If the category name contains a space, you must surround the name in double quotes. The maximum length is 63 characters. Category names vary by the version number of your FortiGuard IRIS package.
status {enable \| disable}	Enable to block clients whose source IP belongs to this category according to the FortiGuard IRIS service.	`enable`
severity {Low \| Medium \| High \| Info}	When rule violations are recorded in the attack log, each log message contains a Severity Level (`severity_level`) field. Select which severity level the FortiWeb appliance uses when a blacklisted IP address attempts to connect to your web servers: `Low` `Medium` `High` `Info`	`Low`
trigger "<trigger-policy_name>"	Select which trigger, if any, that the FortiWeb appliance uses when it logs and/or sends an alert email about a blacklisted IP address’s attempt to connect to your web servers. For details, see log trigger-policy. The maximum length is 63 characters. To display the list of existing trigger policies, enter: `set trigger ?`	No default.
ignore-x-forwarded-for {enable \| disable}	By default, FortiWeb scans the IP addresses in the X-Forwarded-For header at the HTTP layer. This causes high resource consumption. To enhance the performance, you can enable Ignore X-Forwarded-For so that the IP addresses can be scanned at the TCP layer instead. This avoids HTTP packets being processed unnecessarily.	disable

Example

The following command blacklists clients whose source IPs are currently known by Fortinet to be members of a botnet. In the FortiGuard IRIS package for this example, “Botnet” is the first item in the list of categories.

When a botnet member makes a request, FortiWeb blocks the connection and continues to block it without re-evaluating it for the next 6 minutes (360 seconds). FortiWeb logs the event with a high severity level and sends notifications to the Syslog and email servers specified in notification-servers1.

config waf ip-intelligence

edit 1

set status enable

set action period_block

set block-period 360

set severity High

set trigger-policy "notification-servers1"

set ignore-x-forwarded-for disable

end