Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ComprAF2024
New Contributor II

Created on ‎09-03-2024 07:05 AM

Detect HTTP return code 401 and block IP

Hello,

 

we are using Fortiweb VM version 7.0.8 and i'm not specialist in the system. Our Exchange server is behind the fortiweb. We have a lot of attempt to connect to the exchange using EWS. 

 

I can see in the Traffic (Log & Report) for attempts and the return code is 401 (forbidden). 
My question : Is it possible to create a rule/policy to automatically block IP for all attempt getting the Return code 401?

 

Thank you

Labels:
609
0 Kudos
1 Solution
ComprAF2024
New Contributor II

Created on ‎09-08-2024 11:49 PM

Hello,

 

In fact our Fortiweb was configured by an external provider.

I finally found my way:

  • Created Custom Policy
  • Create Web protection (Policy - Web Protection Profil) profil and assign Custom Policy
  • Apply Web Porection profil to the Server Policy

 

All working as expected !

View solution in original post

364
6 REPLIES 6
AEK
SuperUser
SuperUser

Created on ‎09-03-2024 07:33 AM

Hi

I'm used to integrate and administer FortiWeb but I personally don't know such feature.

And logically talking, since 401 is not actually an attack then I don't think you can do such action in FortiWeb.

AEK
AEK
600
ComprAF2024
New Contributor II

Created on ‎09-04-2024 01:09 AM

Hello,

in fact to develop our problem, we can see theses errors in the traffic logs: It's all connection attempt to our Exchange using EWS. We can see the return code 401

image.png

 

I found a way to normally block this by creating a new custom policy:

image.png

 

But this rule seems not block anythings.

 

Can you help me?

 

Thank you

542
0 Kudos
Sx11
Staff
Staff
In response to ComprAF2024

Created on ‎09-04-2024 01:20 AM

Hello, 

 

you can try to blacklist the source IP and Fortiweb should present a general error page.

 

https://docs.fortinet.com/document/fortiweb/7.6.0/administration-guide/811256/ip-list-blocklisting-w...

 

  • Blocklisted IPs—Blocked and prevented from accessing your protected web servers. Requests from Blocklisted IP addresses receive a warning message as the HTTP response. The warning message page includes ID: 70007, which is the ID of all attack log messages about requests from Blocklisted IPs.

There is also the option to customize http responses to show less about the error:

https://docs.fortinet.com/document/fortiweb/6.1.1/administration-guide/481808/customizing-error-and-...

sx11
535
ComprAF2024
New Contributor II
In response to Sx11

Created on ‎09-04-2024 01:26 AM

Hi ,

 

thank you. In fact theses attacks are from a lot of differents ip. I suppose doing by bots. 

It will be not usefull to blacklist ip by hand.

It's why automatically block when Fortiweb detect a forbidden message could be very good for the security. 

 

Have you an idea to how troubleshoot this?

Thank you very much

531
0 Kudos
AEK
SuperUser
SuperUser
In response to Sx11

Created on ‎09-04-2024 07:22 AM

I'd not do it that way because in case one legitimate user accesses unintentionally a forbidden resource (which is not an attack), he will be blocklisted while he shouldn't.

Since you want to block bad bots I think the right way in your case is to allow/block requests based on IP reputation.

AEK
AEK
485
ComprAF2024
New Contributor II

Created on ‎09-08-2024 11:49 PM

Hello,

 

In fact our Fortiweb was configured by an external provider.

I finally found my way:

  • Created Custom Policy
  • Create Web protection (Policy - Web Protection Profil) profil and assign Custom Policy
  • Apply Web Porection profil to the Server Policy

 

All working as expected !

365
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.