Technical Tip: Source IP reputation checks not working on firewall policy

IP reputation is closely tied to the ISDB. If the ISDB lacks info about an IP, the reputation is missing.

The Internet Service Database (ISDB) currently has five reputation levels. Read more in this article: Technical Tip: IP reputation filtering.

Consider the following policy configured, allowing access to a specific service on a specific internal host from the external to the internal network (WAN-LAN).

edit <policyID>
    set srcintf "WAN"
    set dstintf "LAN"
    set action accept
    set srcaddr "all"
    set dstaddr "host-x.x.x.x"
    set reputation-minimum 3
    set reputation-direction source
    set schedule "always"
    set service "XXXX"
    set logtraffic all
next

When checking logs for this particular traffic, sometimes IPs without a reputation are shown as accepted traffic.

If an IP is missing in the ISDB, the reputation is considered as Level 3 (Unverified sites). Therefore, the IP will pass the check in this case, and traffic will be allowed. If it's desired not allow unverified IPs to increase security for internal connections from the outside, the recommended reputation minimum should be set to 4 instead of 3. 

To check if the IPs match an ISDB, use the following command:

diagnose internet-service match root <ip> <netmask> 

The policy should be working as expected in this case, and this is not a configuration error or a bug.

Related documents: 
IP reputation filtering 

Troubleshooting Tip: Missing IPs in ISDB database

Technical Tip: Obtaining an IP list from an ISDB using FortiGate CLI

Technical Tip: Internet Services number entries increase starting with ISDB version 6 and FortiOS 6.2