Variable | Description | Default |
<entry_index> | Type the index number of the individual entry in the table entry in the table. | No default. |
action {alert | alert_deny | redirect | send_403_forbidden | block-period} | Select one of the following actions that the FortiWeb appliance performs when a client’s source IP matches the blacklist category: • alert — Accept the request and generate an alert email and/or log message. • alert_deny — Block the request (or reset the connection) and generate an alert email and/or log message. You can customize the web page that FortiWeb returns to the client with the HTTP status code. See the FortiWeb Administration Guide or “system replacemsg”. • block-period — Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>. • redirect — Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. Also configure redirect-url <redirect_fqdn> and rdt-reason {enable | disable}. • send_403_forbidden — Reply to the client with an HTTP 403 Access Forbidden error message and generate an alert email and/or log message. Caution: FortiWeb ignores this setting when monitor-mode {enable | disable} is enabled. Note: Logging and/or alert email will occur only if enabled and configured. See “config log disk” and “config log alertemail”. Note: If you select an auto-learning profile with this rule, you should select alert. If the action is alert_deny, for example, the FortiWeb appliance will block the request or reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For more information on auto-learning requirements, see “config waf web-protection-profile autolearning-profile”. | alert |
block-period <seconds_int> | Type the number of seconds to block the source IP. The valid range is from 0 to 3,600 seconds. This setting applies only if action is block-period. | 60 |
category <category_name> | Type the name of an existing IP intelligence category, such as "Anonymous Proxy" or Botnet. If the category name contains a space, you must surround the name in double quotes. The maximum length is 35 characters. Category names vary by the version number of your FortiGuard IRIS package. | |
status {enable | disable} | Enable to block clients whose source IP belongs to this category according to the FortiGuard IRIS service. | enable |
severity {Low | Medium | High} | When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance uses when a blacklisted IP address attempts to connect to your web servers: • Low • Medium • High | Low |
trigger <trigger-policy_name> | Select which trigger, if any, that the FortiWeb appliance uses when it logs and/or sends an alert email about a blacklisted IP address’s attempt to connect to your web servers (see “config log trigger-policy”). The maximum length is 35 characters. To display the list of existing trigger policies, type: set trigger ? | No default. |