Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Debbie_FTNT
Staff
Staff

Created on ‎11-12-2019 05:35 AM Edited on ‎09-28-2023 09:23 PM By Community Manager

Article Id 193898

Technical Tip: IP reputation in policies and fallthrough

Description


This article expands upon the FortiGate administration guide here: https://docs.fortinet.com/document/fortigate/6.4.2/administration-guide/68937/ip-reputation-filterin...

It illustrates in greater detail how to configure IP reputation in policies, what settings are required, and how the policies behave with fall through.

 

Scope

 

FortiGate.

Solution


FortiGate policies allow for applying a security feature called IP reputation that groups IPs in five categories:

 

  1. Known malicious sites (Phishing, Botnet).
  2.  High risk services sites (TOR, proxy, P2P).
  3. Unverified sites.
  4. Reputable social media sites (Facebook, Twitter).
  5. Known and verified safe sites (Gmail, Amazon, eBay).

The FortiGate gets the reputation information from ISDB, the Internet Service Database.
Reputation minimums can be configured for either source or destinations in a policy, for example to ensure that users can only visit reputable websites, or to ensure that known malicious hosts may not access a server through a VIP.


This feature can only be configured via CLI in 6.4:

 

 config firewall policy
    edit 1
        set srcintf <>
        set dstintf <>
        set srcaddr <>
        set dstaddr <>
        set reputation-minimum <1-5>
        set reputation-direction <destination | source>
        set action accept
        set schedule "always"
        set service <>
        set nat enable
    next
end

 

In earlier FortiOS versions (6.2 for example), no source/destination address could be set with reputation policies.
This is not the case in 6.4; if no source/destination address is set, the policy will NOT apply and will NOT appear in policy list!

Setting a particular reputation-level means only traffic from that level or higher will match the configured for either source or destinations in a policy. Traffic that does NOT meet the minimum reputation requirement does NOT match this policy.
It will instead fall through to lower policies.

NOTE.
If there are policies with the same source and destination below the reputation-policy, then traffic not meeting the reputation requirements can use that instead!
Reputation policies must NOT have similar policies with the same source and destination, but without the reputation requirement. This will make the reputation setting ineffective, as any traffic below the threshold in the reputation policy will simply use the policy without reputation.

Reputation policies must NOT have similar policies with the same source and destination, but without the reputation requirement.
This will make the reputation setting ineffective, as any traffic below the threshold in the reputation policy will simply use the policy without reputation.



Labels:
14242
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.