Fortinet 330 FortiWeb 5.0 Patch 6 Administration Guide
you can configure FortiWeb to use the FortiGuard IP Reputation. IP reputation leverages many
techniques for accurate, early, and frequently updated identification of compromised and
malicious clients so you can block attackers before they target your servers. Data about
dangerous clients derives from many sources around the globe, including:
• FortiGuard service statistics
•hon
eypots
• botnet forensic analysis
• anonymizing proxies
•3
rd-party sources in the security community
From these sources, Fortinet compiles a reputation for each public IP address. Clients will have
poor reputations if they have been participating in attacks, willingly or otherwise. Because
blacklisting innocent clients is equally undesirable, Fortinet also restores the reputations of
clients that improve their behavior. This is crucial when an infected computer is cleaned, or in
DHCP or PPPoE pools where an innocent client receives an IP address that was previously
leased by an attacker.
IP reputation knowledge is regularly updated if you have subscribed and connected your
FortiWeb to the FortiGuard IP Reputation service (see “Connecting to FortiGuard services” on
page 134). Due to this, new options will periodically appear. You can monitor the FortiGuard
web site feed for security advisories which may correlate with new IP reputation-related
options.
To configure the policy
1. If you need to exempt some clients’ public IP addresses due to possible false positives,
configure IP reputation exemptions first. Go to IP Reputation > IP Reputation > Exceptions.
Because IP reputation data is based on evidence of hostility rather than a client’s current
physical location on the globe, if your goal is to block attackers rather than restrict delivery, this
feature may be preferable.
Because geographical IP policies are evaluated before many other techniques, defining these
IP addresses can be used to improve performance. For details, see “Sequence of scans” on
page 23.
X-header-derived client source IPs (see “Defining your proxies, clients, & X-headers” on
page 266) do not support this feature in this release. If FortiWeb is deployed behind a load
balancer or other web proxy that applies source NAT, this feature will not work.