Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FortiAdam
Contributor II

FortiGuard IP Reputation Service

I'm looking for some better understanding of how the FortiGuard IP reputation service works.  What features do I need to enable on my FortiGate to take advantage of IP reputation?

 

http://www.fortiguard.com/static/iris.html

 

 

5 REPLIES 5
x_member
Contributor

Did you manage to find anything more on this?

We've just moved from ISA server to a Fortigate 60D and I've been asked to look into this with a view to blocking all traffic from known malicious IPs; as yet I can find no detail on how the Fortigate uses the IP reputation database (but plenty on FortiWeb and FortiADC).

FortiAdam
Contributor II

I'm glad to hear I'm not the only one interested in using a feature like this.

 

Based on my own research and conversations with Fortinet, the Fortigate will only use IP Reputation for the "Block Botnet Connections" feature of the AV profile.  I have not been able to confirm if this database is automatically updated at the same time as the rest of the FortiGuard updates.

 

I feel like the FortiGate falls short when it comes to using the IP Reputation feature of FortiGuard.  

x_member

FortiAdam wrote:

I'm glad to hear I'm not the only one interested in using a feature like this.

 

Based on my own research and conversations with Fortinet, the Fortigate will only use IP Reputation for the "Block Botnet Connections" feature of the AV profile.  I have not been able to confirm if this database is automatically updated at the same time as the rest of the FortiGuard updates.

 

I feel like the FortiGate falls short when it comes to using the IP Reputation feature of FortiGuard.  

Thanks for posting a follow up - it looks like you've reached the same conclusion that I did. My understanding is that there are more IP reputation features available on the FortiWeb and FortiADC appliances; perhaps this will come to the Fortigate in a future update.

 

I'm currently looking at strengthening our current security by quarantining IPs based on obvious malicious behaviour (detected vulnerability scans, SMTP authentication failures etc.). I took a sample from the logs of IPs generating nothing but malicious traffic against our live firewall and at least 80% were listed in the Fortinet IP database as known to be malicious (using the online lookup tool).

 

My strategy for now will be to configure an IPS sensor for all traffic to quarantine malicious IPs and run all traffic through it on a standalone IPv4 policy screening all inbound traffic; I suspect that it would be much easier to achieve this if there was a straightforward method of leveraging a local copy of the reputation database. 

 

FortiAdam
Contributor II

Where are you getting your online lookups?  That link you gave just goes to the info page about FortiGuard IPRS.  I found this lookup page via Google but I still fail to see the value if the FortiGate has no method of utilizing it.

x_member

FortiAdam wrote:

Where are you getting your online lookups?  That link you gave just goes to the info page about FortiGuard IPRS.  I found this lookup page via Google but I still fail to see the value if the FortiGate has no method of utilizing it.

 

Oops - my bad. The page you found is the one that I meant to reference - think I fat-fingered the cut and paste (I've now corrected it).

It's value is indeed limited - I was just using it with my sample from live traffic to establish that being able to query a local database as part of processing inbound traffic would be extremely useful in the Fortigate.