Fortinet 331 FortiWeb 5.0 Patch 6 Administration Guide
2. Go to IP Reputation > IP Reputation > Policy.
3. In the Status column, enable categories of disreputable clients that you want to block and/or
log.
4. Similar to configuring attack signatures, also configure Action, Block Period, Severity, and
Trigger Action.
5. Click Apply.
6. To apply your IP reputation policy, enable IP Reputation in a protection profile that is used by
a policy (see “Configuring a protection profile for inline topologies” on page 468 or
“Configuring a protection profile for an out-of-band topology or asynchronous mode of
operation” on page 477).
Attack log messages contain Anonymous Proxy : IP Reputation Violation or
Botnet : IP Reputation Violation when this feature detects a possible attack.
See also
•Predefined suspicious request URLs
•Configuring an auto-learning profile
•Recognizing data types
•Connecting to FortiGuard services
•How often does Fortinet provide FortiGuard updates for FortiWeb?
Blacklisting countries & regionsWhile many web sites are truly global in nature, others are specific to a region. Government web
applications that provide services only to its residents are one example.
APTs often mask their source IP using anonymizing proxies. While casual attackers will move
on to easier potential targets if their initial attempts fail, APTs are motivated to persist until
they achieve a successful breach. Early warning can be critical. Therefore even if some
innocent anonymous clients use your web servers and you do not want to block them, you
still may want to log proxied anonymous requests. Filtering your other attack logs by these
anonymous IPs can help you to locate and focus on dangerous requests from these IPs,
whether you want to use them to configure a defense, for law enforcement, or for forensic
analysis.