By default, IP Reputation functionality is enabled. To disable, enter:

If you have previously disabled IP Reputation and need to re-enable it, enter:

eqcli > reputation enable

To enable or disable IP Reputation using the GUI proceed with the following:

1. Click on the System configuration tab on the left navigational pane.
2. Expand the Global tree. Select IP Reputation to display the IP Reputation screen .
3. Using the IP Reputation Tracking radio buttons to turn IP Reputation On or Off. When Off is selected, no IP Reputation tracking is performed, regardless of individual settings.
4. Click on Commit to save the setting.

The IP Reputation functionality is dependent upon the IP Reputation Database (IRDB), created and managed by Fortinet. The IRDB contains IP addresses and network ID ranges (grouped into the categories described above) that pose a threat to your network. After you register your appliance with Fortinet support, you can download the database from the support site (assuming that your support contract includes IRDB access). Your appliance must have access to the internet to download the IRDB.

The IRDB is updated frequently by Fortinet and should be refreshed on a regular basis. The UI displays the date the IRDB was last updated.

The IRDB database can be downloaded using two methods:

• using controls in the UI to download the database on demand
• using an automated Smart Control (See Smart Control Overview) to download the database regularly.

In order to download the IRDB database, verify that IRIS Service (IP Reputation Intelligence Service) has been enabled for your registered product.on the Fortinet Support site. This will appear in the Product Entitlements section of the product.page.

Manual Download

You will need to download the IRDB database before IP Reputation is fully functional.To verify that the IRDB database has been downloaded, the current IRDB date, and the version currently installed, enter the following using the CLI:

eqcli > show reputation

Current IRDB Version 	:XXXXXXXXXXX

Current IRDB Date    	:XXXXX

IP Reputation 		:Enabled 

eqcli >

If the IRDB has not been downloaded, such as if you were configuring a new appliance, the Current IRDB Version will appear without a version. Also, if you attempt any of the configuration commands described in the following section, an error message will appear.

To download the IRDB database from Fortinet support, enter the following in the CLI:

eqcli > reputation fetch

eqcli: 12000287: Operation successful

To download the IRDB database using the GUI:

1. Click on the System configuration tab on the left navigational pane.
2. Expand the Global tree. Select IP Reputation to display the IP Reputation screen shown below.

3. The date of the Last Download will be displayed in the IP Reputation Database area.Click on the Refresh button to download the latest database.

Using a Smart Control For Regularly Scheduled IRDB Downloads

You can configure a Smart Control to automatically download the IRDB at a regularly scheduled time.

1. Enter the following to assign a name to the Smart Control.

eqcli > smart_control fetch_irdb

The CLI will enter the smart control context.

2. Activate the editor by entering the following in the smart control context.edit invokes the script editor to enter/create the desired script.

eqcli sc-fet*> script edit

3. Construct a script in the editor to fetch the IRDB database.

^[ (escape) menu  ^e search prompt  ^y delete line    ^u up     ^p prev page

^a ascii code     ^x search         ^z undelete line  ^d down   ^n next page

^b bottom of text ^g begin of line  ^w delete word    ^l left

^t top of text    ^o end of line    ^v undelete word  ^r right

^c command        ^k delete char    ^f undelete char      ESC-Enter: exit ee

L: 1 C: 30 ====================================================================

adc::cli("reputation fetch");

4. Exit the editor and be sure to save the script to the datastore.

5. The Smart Control should be run at a regular interval. This is entered in seconds. In the example below, it is configured to run every 6 hours (21600 seconds). A 6 hour interval is recommended, however, you can create an interval that best fits your needs. Enter the following.

You can also enter other details in the schedule string. Refer to the CLI context help or Smart Control Commands for additional information.

To configure a Smart Control to download the IRDB database using the GUI:

1. Click on the System Configuration tab on the left navigational pane and expand the Global branch.
2. Select Smart Control to display the Smart Control display on the right.
3. Click on + to create a new Smart Control. The following will be displayed.

4. On the Smart Control configuration screen:

1. Enter a Name for the Smart Control.
2. Enter the Type of Smart Control. For example, in the configuration above, the Smart Control will be run at 6-hour intervals. Select the Interval option and then select a time interval in the Run Every area.
3. Enter a Script that will fetch the IRDB database. In the example above adc::cli("reputation fetch") is used. Refer to Smart Control Commands for additional information on entering scripts or uploading local scripts.

5. Click on Commit to save the IRDB Download Smart Control.

It is possible that you may want to block one or more IP addresses that do not appear in the IRDB. You can essentially add IP addresses to the IRDB by creating a "blacklist", or list of IP addresses that will be blocked as if they appeared in the IRDB. The block command blocks all IRDB inbound IPs in the specified category or list of IP addresses.

The following examples demonstrated how to block a single IP or a list of IPs. A list is comma separated as shown in the example below:

eqcli > reputation block 172.16.1.170,172.16.1.175,172.16.3.245 

Verify your entry by entering:

eqcli > show reputation blacklist

Blocked IP Name  Start IP Address  End IP Address    Blocked Direction

172.16.1.170     172.16.1.170      172.16.1.170      inbound

172.16.1.175     172.16.1.175      172.16.1.175      inbound

172.16.3.245     172.16.3.245      172.16.3.245      inbound

eqcli >

You could also enter a range of IP addresses to block. If, for example, you enter 10.0.0.5 - 10.0.0.11, all the addresses from 10.0.0.5 to 10.0.0.11 will be blocked.The format below is used:

You can also enter a range of ip addresses using CIDR notation. For example, you could enter the following:

This would encompass the 1024 addresses from 192.168.100.0 to 192.168.103.255. To verify the addresses that are blocked enter:

eqcli > show reputation blacklist

Blocked IP Name  Start IP Address  End IP Address    Blocked Direction

192.168.100.0    192.168.100.0     192.168.103.255   inbound

eqcli >

Removing IP Addresses from the Blacklist

The following format is used to remove previously configured IP addresses or categories from blacklists.

eqcli > no reputation {CIDR List|IP address}

To blacklist IP addresses using the GUI:

1. Click on the System configuration tab on the left navigational pane.
2. Expand the Global tree. Select IP Reputation and then click on the Modify Database tab on the right. The following will be displayed:

3. Enter IP addresses in the Modify Blacklist text box and click on + to add them to the list below.

1. You could enter individual IP addresses.
2. You could also enter a range of IP addresses to block. If, for example, you enter 10.0.0.5 - 10.0.0.11, all the addresses from 10.0.0.5 to 10.0.0.11 will be blocked.
3. You can also enter a range of ip addresses using CIDR notation. If, for example, you enter 192.168.100.0/22, this would encompass the 1024 addresses from 192.168.100.0 to 192.168.103.255.

To remove any of the addresses from the blacklist, select the IP addresses, or range of IP addresses in the list and click on the trash icon.

Click on the Display IP Reputation Database button to display a pop up window, which displays the contents of the IP Reputation database by category.

As described above, a whitelist is a list of IP addresses or categories that will be allowed to pass, regardless of whether they are identified as potentially malicious in the IRDB database. The command format used to "block" addresses is similar to the format used to "pass" addresses (explained above). The pass command permits inbound IP addresses found in the IRDB database to access clusters defined on the ADC.

You can whitelist a single IP or a list of IPs. The list is comma separated. In the example below a list of IP addresses is shown:

eqcli > reputation pass 172.16.1.170,172.16.1.175,172.16.3.245 

Verify your entry by entering:

eqcli > show reputation whitelist

Allowed IP Name  Start IP Address  End IP Address    Allowed Direction

172.16.1.170     172.16.1.170      172.16.1.170      inbound

172.16.1.175     172.16.1.175      172.16.1.175      inbound

172.16.3.245     172.16.3.245      172.16.3.245      inbound

eqcli >

You could also enter a range of IP addresses to pass .If, for example, you enter 10.0.0.5 - 10.0.0.11, all of the addresses from 10.0.0.5 to 10.0.0.11 will be passed. The following format is used:

You can enter a range of ip addresses using CIDR notation. For example, you could enter the following:

This would encompass the 1024 addresses from 192.168.100.0 to 192.168.103.255. To verify the addresses that are whitelisted enter:

eqcli > show reputation whitelist

Allowed IP Name  Start IP Address  End IP Address    Allowed Direction

192.168.100.0    192.168.100.0     192.168.103.255   inbound

eqcli >

Removing IP Addresses from the Whitelist

The following format is used to remove previously configured IP addresses from whitelists.

eqcli > no reputation pass {CIDR List|IP address}

To whitelist IP addresses using the GUI:

1. Click on the System configuration tab on the left navigational pane.
2. Expand the Global tree. Select IP Reputation and then click on the Modify Database tab on the right. The following will be displayed:

3. Enter IP addresses in the Modify Whitelist text box and click on + to add them to the list below.

1. You could enter individual IP addresses that will be allowed.
2. You could also enter a range of IP addresses to allow. If, for example, you enter 10.0.0.5 - 10.0.0.11, all the addresses from 10.0.0.5 to 10.0.0.11 will be allowed.
3. You can also enter a range of ip addresses using CIDR notation. If, for example, you enter 192.168.100.0/22, this would encompass the 1024 addresses from 192.168.100.0 to 192.168.103.255.

To remove any of the addresses from the whitelist, select the IP addresses, or range of IP addresses in the list and click on the trash icon.

You can display the IP addresses that have been identified as potentially malicious in the IRDB for each category.

To view the IP addresses in categories using the CLI, enter:

eqcli > show reputation category category

The example below shows 16 IRDB IP addresses for the botnet category.

eqcli > show reputation category botnet

Category 'botnet' has 16 IP addresses:

1.0.243.254

1.11.85.56

1.11.149.254

1.11.173.96

1.11.183.116

1.11.195.119

1.22.8.216

1.22.16.180

1.22.17.79

1.22.19.49

1.22.28.30

1.22.35.88

1.22.38.1

1.22.38.241

1.22.71.16

1.22.71.230