You can define which source IP addresses are trusted clients, undetermined, or distrusted.
- Trusted IPs—Almost always allowed to access to your protected web servers. Trusted IPs are exempt from many (but not all) of the restrictions that would otherwise be applied by a server policy. For a list of skipped scans, see Sequence of scans.
- Blacklisted IPs—Blocked and prevented from accessing your protected web servers. Requests from blacklisted IP addresses receive a warning message as the HTTP response. The warning message page includes ID: 70007, which is the ID of all attack log messages about requests from blacklisted IPs.
If a source IP address is neither explicitly blacklisted nor trusted by an IP list policy, the client can access your web servers, unless it is blocked by any of your other configured, subsequent web protection scan techniques. For details, see Sequence of scans.
Because trusted and blacklisted IP policies are evaluated before many other techniques, defining these IP addresses can be used to improve performance. For details, see Sequence of scans.
Because many businesses, universities, and even now home networks use NAT, a packet’s source IP address may not necessarily match that of the client. Keep in mind that if you black list or white list an individual source IP, it may therefore inadvertently affect other clients that share the same IP.
- If you want to use a trigger to create a log message and/or alert email when a blacklisted client attempts to connect to your web servers, configure the trigger first. See Viewing log messages.
- Go to IP Protection > IP List.
To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
- Click Create New.
- Configure the following settings.
- Type a unique name that can be referenced by other parts of the configuration. The maximum length is 63 characters.
Select the action FortiWeb takes when it detects a blocklisted IP address.
Alert & Deny — Block the request (or reset the connection) and generate an alert email and/or log message.
Deny (no log) —Blocks the requests from the IP address without sending an alert email and/or log message.
Period Block—Blocks the requests from the IP address for a certain period of time. The valid range is 1-600 seconds.
When rule violations are recorded in the attack log, each log message contains a Severity Level (
severity_level) field. Select which severity level the FortiWeb appliance will use when a blacklisted IP address attempts to connect to your web servers:
Trigger Policy Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a blacklisted IP address’s attempt to connect to your web servers. For details, see Viewing log messages.
By default, FortiWeb scans the IP addresses in the X-Forwarded-For header at the HTTP layer. This causes high resource consumption. To enhance the performance, you can enable Ignore X-Forwarded-For so that the IP addresses can be scanned at the TCP layer instead. This avoids HTTP packets being processed unnecessarily.
- In Name,
- Click OK.
- Click Create New to add an entry to the set.
- Configure these settings:
- Block IP—The source IP address that is distrusted, and is permanently blocked (blacklisted) from accessing your web servers, even if it would normally pass all other scans.
Note: If multiple clients share the same source IP address, such as when a group of clients is behind a firewall or router performing network address translation (NAT), blacklisting the source IP address could block innocent clients that share the same source IP address with an offending client.
- Trust IP—The source IP address is trusted and allowed to access your web servers, unless it fails a previous scan. For details, see Sequence of scans.
- Allow Only—If the source IP address is in the Allow Only range, it will be passed to other scans to decide whether it's allowed to access your web servers. If not, FortiWeb will take actions according to the trigger policy.
If the Allow Only range is empty, then the source IP addresses which are neither in the Block IP nor Trust IP list will be passed directly to other scans.
IPv4/IPv6 / IP Range
Type the client’s source IP address.
You can enter either a single IP address or a range of addresses (e.g. 220.127.116.11,2001::1,18.104.22.168-22.214.171.124,2001::1-2001::100). Multiple addresses or ranges should be separated with comma ",".
Select the IP Group you have created in Server Objects > IP Groups. By using the IP group, you can save the effort to type the IP addresses every time you need to re-use them.
- Click OK.
- Repeat the previous steps for each individual IP list member that you want to add to the IP list.
- To apply the IP list, select it in an inline or Offline Protection profile. For details, see Configuring a protection profile for inline topologies or Configuring a protection profile for an out-of-band topology or asynchronous mode of operation.
Attack log messages contain
Blacklisted IP blockedwhen this feature detects a blacklisted source IP address.
By default, if the IP address of a request is neither in the Block IP nor Trust IP list, FortiWeb will pass this request to other scans to decide whether it is allowed to access your web servers. However, you can define the Allow Only IP addresses so that such requests can be screened against the Allow Only IPs before they are passed to other scans.
The scan sequence for processing IP addresses is as follows: Block IP > Trust IP > Allow Only. For example, if an IP address is present in the Block IP list, the system will block it immediately without proceeding to scan against the Trust IP and Allow Only IP lists.
In other words, if an IP address appears in multiple IP lists, it will be processed only against the list which is scanned first. For example, if you wish to trust an IP range but block specific IP addresses within that range, then you can add those IP addresses to the Block IP list and the IP range in the Trust IP list. This approach will allow the IP range to be trusted while the specified IP addresses are blocked, since the Block IP list is scanned first.
Requests that are blocked according to the IP Lists will receive a warning message as the HTTP response. The warning message page includes ID: 70007, which is the ID of all attack log messages about requests from blocked IPs.
- IP List - Blocklisting & whitelisting clients using a source IP or source IP range
- Sequence of scans
- Monitoring currently blocked IPs
You can use FortiWeb features to control access by known bots such as:
- malicious bots such as DoS, Spam,and Crawler, etc.
- known good bots such as known search engines.
FortiWeb keeps up-to-date the predefined signatures for malicious robots and source IPs if you have subscribed to FortiGuard Security Service.
To block typically malicious bots, go to Bot Mitigation > Known Bots to configure Malicious Bots.
To control which search engine crawlers are allowed to access your sites, go to Bot Mitigation > Known Bots to configure Known Search Engines.