Skip to main content
akawade
Staff
akawade
Staff
October 10, 2020

Technical Tip: How to configure IP exemption from authentication reputation

  • October 10, 2020
  • 0 replies
  • 4322 views

Description


This article describes information on the URL/IP exempt list.

 

Scope

 

FortiMail.

Solution


FortiMail has an authentication mechanism to block IP addresses if failed login attempts from that IP address reach the threshold.

The FortiMail access can be controlled with:

  • CLI: access via SSH.
  • Mail: mail access via SMTP(S), IMAP(S), POP3(S).
  • Web: admin and webmail access via HTTP(S).

The blocking duration is based on the login history of the IP address. The maximum time an IP address can be blocked is 45 days.

Example:

  1. If the initial block period is set to 10 minutes, depending on the user’s number of violations, the actual maximum block time can be up to 2 hours.
  2. If it is set to 30 minutes, the actual block time can be up to 12 hours.
  3. If it is more than 70 minutes, the actual block time can be up to 45 days.

So, to avoid false positives, it is not recommended to use a longer initial block time setting. The recommended setting is less than 30 minutes(default = 10 minutes).
If a user has logins continuously within a period, then the user’s IP will be automatically added to an auto/dynamic exempt list.

To monitor the blocked IP address information, go to Monitor -> Reputation -> Authentication Reputation.

 

KB_edit_Auth_rep.PNG

 

To configure authentication reputation settings.

  1. Go to Security -> Authentication Reputation -> Settings.
  2. Configure the settings below.
  • Status: Select Enable, Disable, or Monitor only. Monitor only means that failed login attempts will be counted and scored, but will not be blocked.
  • Access tracking: Enable or disable what types of login access will be tracked: CLI, Mail, or Web.
  • Initial block period: Specify how long the IP will be blocked after its failed login attempts reach the threshold for the first time. The actual block time will be increased for repeated IP’s.

 

Auth-Rep-Setting.PNG
To manually exempt IP addresses from authentication reputation tracking.

  1. Go to Security -> Authentication Reputation -> Exempt.
  2. Select 'New'.
  3. Enter the IP address and netmask.
  4. Select 'Create'.


auth-exempt-1.PNG

 

auth-exempt-2.PNG

 

To manage the auto-exempt list.

  1. Go to Security -> Authentication Reputation -> Auto Exempt.
  2. The exempted IP addresses are displayed.
  3. To remove an IP address from the list, select the IP address and select 'Delete'.

 

If the FortiMail instance is a FortiMail Cloud instance, only FortiMail Cloud administrators will be able to lift blocks or bans on IP addresses. Contact Fortinet TAC to lift the ban or block.

 

Note:

Especially for SMTP(S), when a rule with the authentication status set to ANY exists under Policy -> Access Control, all IP addresses will bypass the checks, and blocking will not work. Change the authentication status to AUTHENTICATED, and then proceed with configuring exempt IP addresses.


Related document:
Email concepts and process workflow

    Terms & ConditionsAccessibility statement