Technical Tip: IP Reputation Database Objects as Source Address in Local-in policy

IP Reputation Database are aggregated list of malicious IPs collated from various global sources by FortiGuard.

These IP Reputation Database Objects are under the Internet Service Database and can be seen under Policy & Objects -> Internet Service Database. Since FortiOS v7.4.4, FortiOS now allows internet service as source addresses in the local-in policy. This provides more flexibility and control in managing local traffic, improving network security and efficiency.

There are 8 out of 9 IP Reputation Database objects that can be used as source addresses for local-in policy namely :

• Botnet-C&C.Server.
• Malicious-Malicious.Server.
• Phishing-Phishing.Server.
• Proxy-Proxy.Server.
• Spam-Spamming.Server.
• Tor-Exit.Node.
• Tor-Relay.Node.
• VPN-Anonymous.VPN.

Note: 'Blockchain-Crypto.Mining.Pool' despite being part of the IP Reputation Database can only be used as a destination address for policies.

In FortiOS v7.4.4+, the local-in policy can be configured via CLI ('internet-service-src' needs to be enabled) :

config firewall local-in-policy

    edit <id>

        set intf "port1"
        set dstaddr "all"
        set internet-service-src enable
        set internet-service-src-name "Botnet-C&C.Server" "Malicious-Malicious.Server" "Phishing-Phishing.Server" "Proxy-Proxy.Server" "Spam-Spamming.Server" "Tor-Exit.Node" "Tor-Relay.Node" "VPN-Anonymous.VPN"
        set service "ALL"
        set schedule "always"
        set comments "Local-in-policy for IP-Reputation-DB"

    next

end

In FortiOS v7.6+, local-in policies can now be configured via GUI as well :

Note: Local-in policies for Address objects cannot be mixed with Internet Service objects. Create separate policies for each.