Fortinet white logo
Fortinet white logo

Administration Guide

IP List - Blocklisting & whitelisting clients using a source IP or source IP range

IP List - Blocklisting & whitelisting clients using a source IP or source IP range

You can define which source IP addresses are trusted clients, undetermined, or distrusted.

  • Trusted IPs—Almost always allowed to access to your protected web servers. Trusted IPs are exempt from many (but not all) of the restrictions that would otherwise be applied by a server policy. For a list of skipped scans, see Sequence of scans.
  • Blacklisted IPs—Blocked and prevented from accessing your protected web servers. Requests from blacklisted IP addresses receive a warning message as the HTTP response. The warning message page includes ID: 70007, which is the ID of all attack log messages about requests from blacklisted IPs.

If a source IP address is neither explicitly blacklisted nor trusted by an IP list policy, the client can access your web servers, unless it is blocked by any of your other configured, subsequent web protection scan techniques. For details, see Sequence of scans.

Because trusted and blacklisted IP policies are evaluated before many other techniques, defining these IP addresses can be used to improve performance. For details, see Sequence of scans.

Because many businesses, universities, and even now home networks use NAT, a packet’s source IP address may not necessarily match that of the client. Keep in mind that if you black list or white list an individual source IP, it may therefore inadvertently affect other clients that share the same IP.

To configure policies for individual source IPs
  1. If you want to use a trigger to create a log message and/or alert email when a blacklisted client attempts to connect to your web servers, configure the trigger first. See Viewing log messages.
  2. Go to IP Protection > IP List.
    To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
  3. Click Create New.
  4. Configure the following settings.
    Name
  5. Type a unique name that can be referenced by other parts of the configuration. The maximum length is 63 characters.
  6. Action

    Select the action FortiWeb takes when it detects a blocklisted IP address.

    • Alert & Deny — Block the request (or reset the connection) and generate an alert email and/or log message.

    • Deny (no log) —Blocks the requests from the IP address without sending an alert email and/or log message.

    • Period Block—Blocks the requests from the IP address for a certain period of time. The valid range is 1-600 seconds.

    Severity

    When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when a blacklisted IP address attempts to connect to your web servers:

    • Informative
    • Low
    • Medium
    • High
    Trigger PolicySelect which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a blacklisted IP address’s attempt to connect to your web servers. For details, see Viewing log messages.

    Ignore X-Forwarded-For

    By default, FortiWeb scans the IP addresses in the X-Forwarded-For header at the HTTP layer. This causes high resource consumption. To enhance the performance, you can enable Ignore X-Forwarded-For so that the IP addresses can be scanned at the TCP layer instead. This avoids HTTP packets being processed unnecessarily.

  7. In Name,
  8. Click OK.
  9. Click Create New to add an entry to the set.
  10. Configure these settings:
  11. Type

    Select either:

    • Block IP—The source IP address that is distrusted, and is permanently blocked (blacklisted) from accessing your web servers, even if it would normally pass all other scans.
      Note: If multiple clients share the same source IP address, such as when a group of clients is behind a firewall or router performing network address translation (NAT), blacklisting the source IP address could block innocent clients that share the same source IP address with an offending client.
    • Trust IP—The source IP address is trusted and allowed to access your web servers, unless it fails a previous scan. For details, see Sequence of scans.

    By default, if the IP address of a request is neither in the Block IP nor Trust IP list, FortiWeb will pass this request to other scans to decide whether it is allowed to access your web servers. However, you can define the Allow Only IP addresses so that such requests can be screened against the Allow Only IPs before they are passed to other scans.

    • Allow Only—If the source IP address is in the Allow Only range, it will be passed to other scans to decide whether it's allowed to access your web servers. If not, FortiWeb will take actions according to the trigger policy.
      If the Allow Only range is empty, then the source IP addresses which are neither in the Block IP nor Trust IP list will be passed directly to other scans.

    The scan sequence for processing IP addresses is as follows: Block IP > Trust IP > Allow Only. For example, if an IP address is present in the Block IP list, the system will block it immediately without proceeding to scan against the Trust IP and Allow Only IP lists.

    In other words, if an IP address appears in multiple IP lists, it will be processed only against the list which is scanned first. For example, if you wish to trust an IP range but block specific IP addresses within that range, then you can add those IP addresses to the Block IP list and the IP range in the Trust IP list. This approach will allow the IP range to be trusted while the specified IP addresses are blocked, since the Block IP list is scanned first.

    Requests that are blocked according to the IP Lists will receive a warning message as the HTTP response. The warning message page includes ID: 70007, which is the ID of all attack log messages about requests from blocked IPs.

    Detail

    • IPv4/IPv6 / IP Range

      Type the client’s source IP address.

      You can enter either a single IP address or a range of addresses (e.g. 1.2.3.4,2001::1,1.2.3.4-1.2.3.40,2001::1-2001::100). Multiple addresses or ranges should be separated with comma ",".

    • IP Group

      Select the IP Group you have created in Server Objects > IP Groups. By using the IP group, you can save the effort to type the IP addresses every time you need to re-use them. For more information, see Creating IP groups.

  12. Click OK.
  13. Repeat the previous steps for each individual IP list member that you want to add to the IP list.
  14. To apply the IP list, select it in an inline or Offline Protection profile. For details, see Configuring a protection profile for inline topologies or Configuring a protection profile for an out-of-band topology or asynchronous mode of operation.
    Attack log messages contain Blacklisted IP blocked when this feature detects a blacklisted source IP address.
See also

Blacklisting known bots

You can use FortiWeb features to control access by known bots such as:

  • malicious bots such as DoS, Spam,and Crawler, etc.
  • known good bots such as known search engines.

FortiWeb keeps up-to-date the predefined signatures for malicious robots and source IPs if you have subscribed to FortiGuard Security Service.

To block typically malicious bots, go to Bot Mitigation > Known Bots to configure Malicious Bots.

To control which search engine crawlers are allowed to access your sites, go to Bot Mitigation > Known Bots to configure Known Search Engines.

See also

IP List - Blocklisting & whitelisting clients using a source IP or source IP range

IP List - Blocklisting & whitelisting clients using a source IP or source IP range

You can define which source IP addresses are trusted clients, undetermined, or distrusted.

  • Trusted IPs—Almost always allowed to access to your protected web servers. Trusted IPs are exempt from many (but not all) of the restrictions that would otherwise be applied by a server policy. For a list of skipped scans, see Sequence of scans.
  • Blacklisted IPs—Blocked and prevented from accessing your protected web servers. Requests from blacklisted IP addresses receive a warning message as the HTTP response. The warning message page includes ID: 70007, which is the ID of all attack log messages about requests from blacklisted IPs.

If a source IP address is neither explicitly blacklisted nor trusted by an IP list policy, the client can access your web servers, unless it is blocked by any of your other configured, subsequent web protection scan techniques. For details, see Sequence of scans.

Because trusted and blacklisted IP policies are evaluated before many other techniques, defining these IP addresses can be used to improve performance. For details, see Sequence of scans.

Because many businesses, universities, and even now home networks use NAT, a packet’s source IP address may not necessarily match that of the client. Keep in mind that if you black list or white list an individual source IP, it may therefore inadvertently affect other clients that share the same IP.

To configure policies for individual source IPs
  1. If you want to use a trigger to create a log message and/or alert email when a blacklisted client attempts to connect to your web servers, configure the trigger first. See Viewing log messages.
  2. Go to IP Protection > IP List.
    To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
  3. Click Create New.
  4. Configure the following settings.
    Name
  5. Type a unique name that can be referenced by other parts of the configuration. The maximum length is 63 characters.
  6. Action

    Select the action FortiWeb takes when it detects a blocklisted IP address.

    • Alert & Deny — Block the request (or reset the connection) and generate an alert email and/or log message.

    • Deny (no log) —Blocks the requests from the IP address without sending an alert email and/or log message.

    • Period Block—Blocks the requests from the IP address for a certain period of time. The valid range is 1-600 seconds.

    Severity

    When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when a blacklisted IP address attempts to connect to your web servers:

    • Informative
    • Low
    • Medium
    • High
    Trigger PolicySelect which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a blacklisted IP address’s attempt to connect to your web servers. For details, see Viewing log messages.

    Ignore X-Forwarded-For

    By default, FortiWeb scans the IP addresses in the X-Forwarded-For header at the HTTP layer. This causes high resource consumption. To enhance the performance, you can enable Ignore X-Forwarded-For so that the IP addresses can be scanned at the TCP layer instead. This avoids HTTP packets being processed unnecessarily.

  7. In Name,
  8. Click OK.
  9. Click Create New to add an entry to the set.
  10. Configure these settings:
  11. Type

    Select either:

    • Block IP—The source IP address that is distrusted, and is permanently blocked (blacklisted) from accessing your web servers, even if it would normally pass all other scans.
      Note: If multiple clients share the same source IP address, such as when a group of clients is behind a firewall or router performing network address translation (NAT), blacklisting the source IP address could block innocent clients that share the same source IP address with an offending client.
    • Trust IP—The source IP address is trusted and allowed to access your web servers, unless it fails a previous scan. For details, see Sequence of scans.

    By default, if the IP address of a request is neither in the Block IP nor Trust IP list, FortiWeb will pass this request to other scans to decide whether it is allowed to access your web servers. However, you can define the Allow Only IP addresses so that such requests can be screened against the Allow Only IPs before they are passed to other scans.

    • Allow Only—If the source IP address is in the Allow Only range, it will be passed to other scans to decide whether it's allowed to access your web servers. If not, FortiWeb will take actions according to the trigger policy.
      If the Allow Only range is empty, then the source IP addresses which are neither in the Block IP nor Trust IP list will be passed directly to other scans.

    The scan sequence for processing IP addresses is as follows: Block IP > Trust IP > Allow Only. For example, if an IP address is present in the Block IP list, the system will block it immediately without proceeding to scan against the Trust IP and Allow Only IP lists.

    In other words, if an IP address appears in multiple IP lists, it will be processed only against the list which is scanned first. For example, if you wish to trust an IP range but block specific IP addresses within that range, then you can add those IP addresses to the Block IP list and the IP range in the Trust IP list. This approach will allow the IP range to be trusted while the specified IP addresses are blocked, since the Block IP list is scanned first.

    Requests that are blocked according to the IP Lists will receive a warning message as the HTTP response. The warning message page includes ID: 70007, which is the ID of all attack log messages about requests from blocked IPs.

    Detail

    • IPv4/IPv6 / IP Range

      Type the client’s source IP address.

      You can enter either a single IP address or a range of addresses (e.g. 1.2.3.4,2001::1,1.2.3.4-1.2.3.40,2001::1-2001::100). Multiple addresses or ranges should be separated with comma ",".

    • IP Group

      Select the IP Group you have created in Server Objects > IP Groups. By using the IP group, you can save the effort to type the IP addresses every time you need to re-use them. For more information, see Creating IP groups.

  12. Click OK.
  13. Repeat the previous steps for each individual IP list member that you want to add to the IP list.
  14. To apply the IP list, select it in an inline or Offline Protection profile. For details, see Configuring a protection profile for inline topologies or Configuring a protection profile for an out-of-band topology or asynchronous mode of operation.
    Attack log messages contain Blacklisted IP blocked when this feature detects a blacklisted source IP address.
See also

Blacklisting known bots

You can use FortiWeb features to control access by known bots such as:

  • malicious bots such as DoS, Spam,and Crawler, etc.
  • known good bots such as known search engines.

FortiWeb keeps up-to-date the predefined signatures for malicious robots and source IPs if you have subscribed to FortiGuard Security Service.

To block typically malicious bots, go to Bot Mitigation > Known Bots to configure Malicious Bots.

To control which search engine crawlers are allowed to access your sites, go to Bot Mitigation > Known Bots to configure Known Search Engines.

See also