Fortinet 5.0 Patch 6

Fortinet 330 FortiWeb 5.0 Patch 6 Administration Guide

you can configure FortiWeb to use the FortiGuard IP Reputation. IP reputation leverages many

techniques for accurate, early, and frequently updated identification of compromised and

malicious clients so you can block attackers before they target your servers. Data about

dangerous clients derives from many sources around the globe, including:

• FortiGuard service statistics

•hon

eypots

• botnet forensic analysis

• anonymizing proxies

•3

rd-party sources in the security community

From these sources, Fortinet compiles a reputation for each public IP address. Clients will have

poor reputations if they have been participating in attacks, willingly or otherwise. Because

blacklisting innocent clients is equally undesirable, Fortinet also restores the reputations of

clients that improve their behavior. This is crucial when an infected computer is cleaned, or in

DHCP or PPPoE pools where an innocent client receives an IP address that was previously

leased by an attacker.

IP reputation knowledge is regularly updated if you have subscribed and connected your

FortiWeb to the FortiGuard IP Reputation service (see “Connecting to FortiGuard services” on

page 134). Due to this, new options will periodically appear. You can monitor the FortiGuard

web site feed for security advisories which may correlate with new IP reputation-related

options.

To configure the policy

1. If you need to exempt some clients’ public IP addresses due to possible false positives,

configure IP reputation exemptions first. Go to IP Reputation > IP Reputation > Exceptions.

Because IP reputation data is based on evidence of hostility rather than a client’s current

physical location on the globe, if your goal is to block attackers rather than restrict delivery, this

feature may be preferable.

Because geographical IP policies are evaluated before many other techniques, defining these

IP addresses can be used to improve performance. For details, see “Sequence of scans” on

page 23.

X-header-derived client source IPs (see “Defining your proxies, clients, & X-headers” on

page 266) do not support this feature in this release. If FortiWeb is deployed behind a load

balancer or other web proxy that applies source NAT, this feature will not work.