Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Debbie_FTNT
Staff
Staff

Created on ‎11-12-2019 05:35 AM Edited on ‎02-13-2025 06:53 AM By Moderator

Article Id 193898

Technical Tip: IP reputation in policies and fallthrough

Description


This article expands upon the FortiGate administration guide here: IP reputation filtering.

It illustrates in greater detail how to configure IP reputation in policies, what settings are required, and how the policies behave with fall through.

 

Scope

 

FortiGate.

Solution


FortiGate policies allow for applying a security feature called IP reputation that groups IPs in five categories:

 

  1. Known malicious sites (Phishing, Botnet).
  2. High-risk services sites (TOR, proxy, P2P).
  3. Unverified sites.
  4. Reputable social media sites (Facebook, Twitter).
  5. Known and verified safe sites (Gmail, Amazon, eBay).

 

FortiGate gets the reputation information from ISDB, the Internet Service Database.
Reputation minimums can be configured for either source or destinations in a policy, for example, to ensure that users can only visit reputable websites, or to ensure that known malicious hosts may not access a server through a VIP.


This feature can only be configured via CLI in v6.4:

 

config firewall policy
    edit 1
        set srcintf <>
        set dstintf <>
        set srcaddr <>
        set dstaddr <>
        set reputation-minimum <1-5>
        set reputation-direction <destination | source>
        set action accept
        set schedule "always"
        set service <>
        set nat enable
    next
end

 

In earlier FortiOS versions (v6.2 for example), no source/destination address could be set with reputation policies.
This is not the case in v6.4, if no source/destination address is set, the policy will not apply and will not appear in the policy list.

Setting a particular reputation-level means only traffic from that level or higher will match the configured for either source or destinations in a policy. Traffic that does NOT meet the minimum reputation requirement does NOT match this policy.
It will instead fall through to lower policies.

Note:
If there are policies with the same source and destination below the reputation-policy, then traffic not meeting the reputation requirements can use that instead.
Reputation policies must not have similar policies with the same source and destination but without the reputation requirement. This will make the reputation setting ineffective, as any traffic below the threshold in the reputation-policy will simply use the policy without reputation.

Labels:
16649
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.