config : waf ip-list
 
waf ip-list
Use this command to define which source IP addresses are trusted clients, undetermined, or distrusted.
Trusted IPs — Almost always allowed to access to your protected web servers. Trusted IPs are exempt from many (but not all) of the restrictions that would otherwise be applied by a server policy. To determine skipped scans, see “debug flow trace”.
Neither — If a source IP address is neither explicitly blacklisted or trusted by an IP list policy, the client can access your web servers, unless it is blocked by any of your other configured, subsequent web protection scan techniques (see “debug flow trace”).
Blacklisted IPs — Blocked and prevented from accessing your protected web servers. Requests from blacklisted IP addresses receive a warning message in response. The warning message page includes ID: 70007, which is the ID of all attack log messages about requests from blacklisted IPs.
 
Because FortiWeb evaluates trusted and blacklisted IP policies before many other techniques, defining these IP addresses can improve performance.
Alternatively, you can block sets of many clients based upon their reputation (see “waf ip-intelligence”) or geographical origin (see “waf geo-block-list”).
To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For more information, see “Permissions”.
Syntax
config waf ip-list
edit <ip-list_name>
config members
edit <entry_index>
set ip <client_ip>
set type {trust-ip | black‑ip}
set severity {Low | Medium | High}
set trigger-policy <trigger-policy_name>
next
end
next
end
Variable
Description
Default
<ip-list_name>
Type the name of a new or existing rule. The maximum length is 35 characters.
To display the list of existing rules, type:
edit ?
No default.
<entry_index>
Type the index number of the individual entry in the table entry in the table. The valid range is from 1 to 9,999,999,999,999,999,999.
No default.
ip <client_ip>
Enter one of the following values:
• A single IP address that a client source IP must match, such as a trusted private network IP address (e.g. an administrator’s computer, 172.16.1.20).
• A range or addresses (for example, 172.22.14.1-172.22.14.255 or 10:200::10:1-10:200:10:100).
No default.
type {trust-ip | black‑ip}
Select either:
trust-ip — The source IP address is trusted and allowed to access your web servers, unless it fails a previous scan (see “debug flow trace”).
black-ip — The source IP address that is distrusted, and is permanently blocked (blacklisted) from accessing your web servers, even if it would normally pass all other scans.
Note: If multiple clients share the same source IP address, such as when a group of clients is behind a firewall or router performing network address translation (NAT), blacklisting the source IP address could block innocent clients that share the same source IP address with an offending client.
trust-ip
severity {Low | Medium | High}
When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when a blacklisted IP address attempts to connect to your web servers:
Low
Medium
High
No default.
trigger-policy <trigger-policy_name>
Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a blacklisted IP address’s attempt to connect to your web servers (see “config log trigger-policy”). The maximum length is 35 characters.
To display the list of existing trigger policies, type:
set trigger ?
No default.
Example
The following shows the configuration for a trusted host of 192.0.2.0 followed by a blacklisted client of 192.0.2.1.
config waf ip-list
edit "IP-List-Policy1"
config members
edit 1
set ip 192.0.2.0
next
edit 2
set type black-ip
set ip 192.0.2.1
set severity Medium
set trigger-policy "TriggerActionPolicy1"
next
end
next
end
Related topics
config log trigger-policy
config waf web-protection-profile inline-protection
config waf web-protection-profile offline-protection
config waf geo-block-list
config waf ip-intelligence
diagnose debug flow trace