Description

This article describes the 'IP Reputation Filtering' levels and steps to enable the feature.
This feature adds support for reputation filtering in the firewall policies.

Scope

FortiOS 6.4 (available in 7.0 and newer versions only via CLI, and only for backward compatibility).

Solution

There are five reputation levels in the internet-service database (ISDB), and custom reputation levels can be defined in a custom internet-service. This feature allows firewall policies to filter traffic according to the configured reputation level.
If the reputation level of either the source or destination IP address is equal to or greater than the level set in the policy, then the packet is forwarded, otherwise, the packet is dropped.

The five default reputation levels are:

1. Known malicious sites related to botnet servers, phishing sites, etc.
2. Sites providing high-risk services, such as TOR, proxy, P2P, etc.
3. Unverified sites.
4. Reputable sites from social media, such as Facebook, Twitter, etc.
5. Known and verified safe sites, such as Gmail, Amazon, eBay, etc.
   
   

The default minimum reputation level in a policy is zero, meaning that the reputation filter is disabled.

To set the reputation level and direction of a policy.

config firewall policy
    edit 1
        set uuid dfcaec9c-e925-51e8-cf3e-fed9a1d42a1c
        set srcintf "port1"
        set dstintf "wan1"
        set dstaddr "all"
        set reputation-minimum 3
        set reputation-direction source
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set auto-asic-offload disable
        set nat enable
    next
end

Packets from the source IP address with reputation levels three, four, or five will be forwarded by this policy.