Chapter 15 Unified Threat Management for FortiOS 5.0 : Client Reputation : Summary of the Client Reputation features
  
Summary of the Client Reputation features
Activities you can track include:
Bad Connection Attempts: A typical BOT behavior is to connect to some hosts that do not exist on the Internet. This is because the BOT home needs to constantly change itself to dodge legislative enforcement or to hide from AV vendors. Bad connection attempts are tracked by:
Look ups for a DNS name that does not exist.
Connection attempts to an IP address that has no route.
HTTP 404 errors
Packets that are blocked by security policies.
Intrusion protection: Attack detected. The effect on reputation increases with severity of attack. A subscription to FortiGuard IPS updates is required.
Malware protection: Malware detected. This requires a subscription to FortiGuard Antivirus updates.
Web activity: Visit to web site in risky categories, including Potentially Liable, Adult/Mature Content, Bandwidth Consuming and Security Risk. A subscription to FortiGuard Web Filtering is required.
Application protection: Client uses software in risky categories, including Botnet, P2P, Proxy, and Games applications. A subscription to FortiGuard IPS updates is required.
Geographical locations that clients are communicating with. Access to the FortiGuard geographic database and a valid Fortinet support contract is required.
You can configure how severely each type of tracked activity will impact the reputation of the client in a sliding scale of Low, Medium, High or Critical. You can also choose to ignore an activity by setting it to Off. When an activity is turned off, it will have no effect on reputation.
You can enable client reputation tracking for your FortiGate unit by going to Security Profiles > Client Reputation > Threat Level Definition. Turning on client reputation tracking turns on traffic logging for all security policies, for all DoS policies and for all sniffer policies. While client reputation is enabled, logging cannot be turned off for these policies. Traffic logging must be enabled for data to be added to the client reputation database.
 
Client reputation only highlights risky activity and does not include tools to stop it. Instead, client reputation is a tool that exposes risky behavior. When you uncover risky behavior that you are concerned about, you can take additional action to stop it. That action could include adding more restrictive security policies to block the activity or increase Security Profiles protection. You can also taking other measures outside your FortiGate unit to stop the activity.
To support client reputation your FortiGate unit must be registered, have a valid support contract and be licensed for FortiGuard antivirus, IPS and Web Filtering.
After client reputation is turned on, the FortiGate unit tracks recent behavior using a sliding window and displays current data for this window. The client reputation monitor displays clients and their activities in charts ordered according to how risky the behavior exhibited by the client is.
Client Reputation data is stored in traffic log messages in the newly added client reputation fields (crscore and craction). When you enable client reputation Log Security Events or Log all Sessions is enabled in all security policies. Log Security Events records traffic log messages for Security Profile sessions and Log all Sessions records traffic logs for all sessions. When Client Reputation is enabled you cannot select No Log in a security policy. Using client reputation data in log messages, you can configure FortiAnalyzer to produce a client reputation report.
Enabling client reputation can affect system performance if you had not been using traffic logging.
This chapter describes:
Applying client reputation monitoring to your network
Viewing client reputation results
Setting the client reputation profile/definition
Expanding client reputation to include more types of behavior
Client reputation execute commands
Client reputation diagnose commands