Technical Tip: Blocking Potential threats over Internet service database

This article explains how to block the below over Internet Server Database:

• Blockchain-Crypto.Mining.Pool (can be used only as Destination address).
• Botnet-C&C.Server.
• Malicious-Malicious.Server.
• Phishing-Phishing.Server.
• Proxy-Proxy.Server.
• Spam-Spamming.Server.
• Tor-Exit.Node (can be used only as source address).
• Tor-Relay.Node.
• VPN-Anonymous.VPN.
  
  Note:

The ISDB objects mentioned are currently available only for IPv4. In other words, IPv6 objects are not available for the specified list at this time. If there is a requirement for IPv6 support, contact the local Fortinet Sales representative to submit a New Feature Request (NFR).

Internet service Database has 2 fields:

1. Predefined Internet Services (known reputed sites).
2. IP Reputation Database (Potential threat sites).

Threat sites can be blocked by setting a minimum reputation value on the firewall policy over CLI or by using IP reputation in the internet service database.

Using the internet service database gives us the advantage of using more specific categories on the firewall policy 

In the below example, an outbound block rule has been configured to stop potential threat websites:

Block Logs:

Refer to the below article to set the minimum reputation value on the firewall policy:

Note:

The above is only applicable to outbound policy. For inbound policy keep isdb on the source and destination address 'all', action deny -> policy keep on top and also enable match vip on policy with the below command 

On policy 'right-click' on edit cli > 

set match-vip enable 
end

Refer to the below article for enabling match-vip on the policy:
Troubleshooting Tip: VIP traffic not matching the firewall policy with an 'all' destination