Monitoring currently blocked IPs

Log&Report > Monitor > Blocked IPs displays all client IP addresses whose requests the FortiWeb appliance is temporarily blocking because the client violated a rule whose Action is Period Block. Since at any given time a period block might be applied by one server policy but not by another, client IPs are sorted by and listed under the names of server policies.

If a client was inadvertently blocked due to a false positive, you can immediately release it from being blocked by clicking the Delete icon next to its entry in this table. (If it is being blocked by multiple policies, you should delete the client’s entry under each policy name. Otherwise, the client will still be blocked by some policies.)

Alternatively, the IP address will automatically be removed from the list when its block period expires.

If a client frequently is correctly added to the period block list, and is a suspected attacker, you may be able to improve both security and performance by permanently blacklisting that source IP address. See Blacklisting & whitelisting clients using a source IP or source IP range and Sequence of scans.

If the client is not an attacker, in addition to removing his or her IP from this list, you may need to adjust the configuration that caused the period block, such as adjusting DoS protection so that it does not block normal request rates. Otherwise, the client may quickly reappear in the period block list.

To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Log & Report category. For details, see Permissions.

See also