Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ComprAF2024
New Contributor II

Detect HTTP return code 401 and block IP

Hello,

 

we are using Fortiweb VM version 7.0.8 and i'm not specialist in the system. Our Exchange server is behind the fortiweb. We have a lot of attempt to connect to the exchange using EWS. 

 

I can see in the Traffic (Log & Report) for attempts and the return code is 401 (forbidden). 
My question : Is it possible to create a rule/policy to automatically block IP for all attempt getting the Return code 401?

 

Thank you

1 Solution
ComprAF2024
New Contributor II

Hello,

 

In fact our Fortiweb was configured by an external provider.

I finally found my way:

  • Created Custom Policy
  • Create Web protection (Policy - Web Protection Profil) profil and assign Custom Policy
  • Apply Web Porection profil to the Server Policy

 

All working as expected !

View solution in original post

6 REPLIES 6
AEK
SuperUser
SuperUser

Hi

I'm used to integrate and administer FortiWeb but I personally don't know such feature.

And logically talking, since 401 is not actually an attack then I don't think you can do such action in FortiWeb.

AEK
AEK
ComprAF2024
New Contributor II

Hello,

in fact to develop our problem, we can see theses errors in the traffic logs: It's all connection attempt to our Exchange using EWS. We can see the return code 401

image.png

 

I found a way to normally block this by creating a new custom policy:

image.png

 

But this rule seems not block anythings.

 

Can you help me?

 

Thank you

Hatibi

Hello, 

 

you can try to blacklist the source IP and Fortiweb should present a general error page.

 

https://docs.fortinet.com/document/fortiweb/7.6.0/administration-guide/811256/ip-list-blocklisting-w...

 

  • Blocklisted IPs—Blocked and prevented from accessing your protected web servers. Requests from Blocklisted IP addresses receive a warning message as the HTTP response. The warning message page includes ID: 70007, which is the ID of all attack log messages about requests from Blocklisted IPs.

There is also the option to customize http responses to show less about the error:

https://docs.fortinet.com/document/fortiweb/6.1.1/administration-guide/481808/customizing-error-and-...

ComprAF2024
New Contributor II

Hi ,

 

thank you. In fact theses attacks are from a lot of differents ip. I suppose doing by bots. 

It will be not usefull to blacklist ip by hand.

It's why automatically block when Fortiweb detect a forbidden message could be very good for the security. 

 

Have you an idea to how troubleshoot this?

Thank you very much

AEK

I'd not do it that way because in case one legitimate user accesses unintentionally a forbidden resource (which is not an attack), he will be blocklisted while he shouldn't.

Since you want to block bad bots I think the right way in your case is to allow/block requests based on IP reputation.

AEK
AEK
ComprAF2024
New Contributor II

Hello,

 

In fact our Fortiweb was configured by an external provider.

I finally found my way:

  • Created Custom Policy
  • Create Web protection (Policy - Web Protection Profil) profil and assign Custom Policy
  • Apply Web Porection profil to the Server Policy

 

All working as expected !

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors