config : waf ip-intelligence
 
waf ip-intelligence
Use this command to configure reputation-based source IP blacklisting.
Clients with suspicious behaviors or poor reputations include spammers, phishers, botnets, and anonymizing proxy users. If you have purchased a subscription for the FortiGuard IP Reputation service, your FortiWeb can periodically download an updated blacklist to keep your appliance current with changes in dynamic IPs, spreading virus infections, and spammers changing service providers.
IP intelligence settings apply globally, to all policies that use this feature.
Before or after using this command, configure any exemptions that you want to apply by using the command “waf ip-intelligence-exception”. To apply IP reputation-based blocking, configuring these category settings first, then enable ip-intelligence {enable | disable} in the server policy’s protection profile.
Alternatively, you can block sets of many clients based upon their geographical origin (see “waf geo-block-list”) or manually by specific IPs (see “waf ip-list”).
To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For more information, see “Permissions”.
Syntax
config waf ip-intelligence
edit <entry_index>
set action {alert | alert_deny | redirect | send_403_forbidden | block-period}
set block-period <seconds_int>
set category <category_name>
set severity {Low | Medium | High}
set status {enable | disable}
set trigger <trigger-policy_name>
next
end
Variable
Description
Default
<entry_index>
Type the index number of the individual entry in the table entry in the table.
No default.
action {alert | alert_deny | redirect | send_403_forbidden | block-period}
Select one of the following actions that the FortiWeb appliance performs when a client’s source IP matches the blacklist category:
alert — Accept the request and generate an alert email and/or log message.
alert_deny — Block the request (or reset the connection) and generate an alert email and/or log message.
You can customize the web page that FortiWeb returns to the client with the HTTP status code. See the FortiWeb Administration Guide or “system replacemsg”.
block-period — Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>.
redirect — Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. Also configure redirect-url <redirect_fqdn> and rdt-reason {enable | disable}.
send_403_forbidden — Reply to the client with an HTTP 403 Access Forbidden error message and generate an alert email and/or log message.
Caution: FortiWeb ignores this setting when monitor-mode {enable | disable} is enabled.
Note: Logging and/or alert email will occur only if enabled and configured. See “config log disk” and “config log alertemail”.
Note: If you select an auto-learning profile with this rule, you should select alert. If the action is alert_deny, for example, the FortiWeb appliance will block the request or reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For more information on auto-learning requirements, see “config waf web-protection-profile autolearning-profile”.
alert
block-period <seconds_int>
Type the number of seconds to block the source IP. The valid range is from 0 to 3,600 seconds.
This setting applies only if action is block-period.
60
category <category_name>
Type the name of an existing IP intelligence category, such as "Anonymous Proxy" or Botnet. If the category name contains a space, you must surround the name in double quotes. The maximum length is 35 characters.
Category names vary by the version number of your FortiGuard IRIS package.
 
status {enable | disable}
Enable to block clients whose source IP belongs to this category according to the FortiGuard IRIS service.
enable
severity {Low | Medium | High}
When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance uses when a blacklisted IP address attempts to connect to your web servers:
Low
Medium
High
Low
trigger <trigger-policy_name>
Select which trigger, if any, that the FortiWeb appliance uses when it logs and/or sends an alert email about a blacklisted IP address’s attempt to connect to your web servers (see “config log trigger-policy”). The maximum length is 35 characters.
To display the list of existing trigger policies, type:
set trigger ?
No default.
Example
The following command blacklists clients whose source IPs are currently known by Fortinet to be members of a botnet. In the FortiGuard IRIS package for this example, “Botnet” is the first item in the list of categories.
When a botnet member makes a request, FortiWeb blocks the connection and continues to block it without re-evaluating it for the next 6 minutes (360 seconds). FortiWeb logs the event with a high severity level and sends notifications to the Syslog and email servers specified in notification-servers1.
config waf ip-intelligence
edit 1
set status enable
set action period_block
set block-period 360
set severity High
set trigger-policy notification-servers1
next
end
Related topics
config waf ip-intelligence-exception
config log trigger-policy
config waf web-protection-profile inline-protection
config waf web-protection-profile offline-protection
config waf geo-block-list
config waf ip-list
diagnose debug flow trace