Fortinet 5.0 Patch 6 Monitoring currently blocked IPs, FortiGuard updates

Fortinet 606 FortiWeb 5.0 Patch 6 Administration Guide

Monitoring currently blocked IPs

Log&Report > Monitor > Blocked IPs displays all client IP addresses whose requests the

FortiWeb appliance is temporarily blocking because the client violated a rule whose Action is

Period Block. Since at any given time a period block might be applied by one server policy but

not by another, client IPs are sorted by and listed under the names of server policies.

If a client was inadvertently blocked due to a false positive, you can immediately release it from

being blocked by clicking the Delete icon next to its entry in this table. (If it is being blocked by

multiple policies, you should delete the client’s entry under each policy name. Otherwise, the

client will still be blocked by some policies.)

Alternatively, the IP address will automatically be removed from the list when its block period

expires.

To access this part of the web UI, your administrator’s account access profile must have Read

and Write permission to items in the Log & Report category. For details, see “Permissions” on

page 47.

See also

•Blacklisting & whitelisting clients individually by source IP

•Configuring a protection profile for inline topologies

•Configuring a protection profile for an out-of-band topology or asynchronous mode of

operation

FortiGuard updates

One of the most important things you can do is to ensure that your FortiWeb is receiving regular

updates from the FortiGuard FortiWeb Web Security service and FortiGuard Antivirus service.

Without these updates, your FortiWeb cannot detect the newest threats.

Event logs record FortiGuard update attempts. In addition to scheduling polls for automatic

updates, you can also manually update the service packages or initiate an connectivity test to

the FDN at any time. For details, see “Connecting to FortiGuard services” on page 134.

If a client frequently is correctly added to the period block list, and is a suspected attacker, you

may be able to improve both security and performance by permanently blacklisting that source

IP address. See “Blacklisting & whitelisting clients individually by source IP” on page 335 and

“Sequence of scans” on page 23.

If the client is not an attacker, in addition to removing his or her IP from this list, you may need

to adjust the configuration that caused the period block, such as adjusting DoS protection so

that it does not block normal request rates. Otherwise, the client may quickly reappear in the

period block list.