I'm looking for some better understanding of how the FortiGuard IP reputation service works. What features do I need to enable on my FortiGate to take advantage of IP reputation?
http://www.fortiguard.com/static/iris.html
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Did you manage to find anything more on this?
We've just moved from ISA server to a Fortigate 60D and I've been asked to look into this with a view to blocking all traffic from known malicious IPs; as yet I can find no detail on how the Fortigate uses the IP reputation database (but plenty on FortiWeb and FortiADC).
I'm glad to hear I'm not the only one interested in using a feature like this.
Based on my own research and conversations with Fortinet, the Fortigate will only use IP Reputation for the "Block Botnet Connections" feature of the AV profile. I have not been able to confirm if this database is automatically updated at the same time as the rest of the FortiGuard updates.
I feel like the FortiGate falls short when it comes to using the IP Reputation feature of FortiGuard.
FortiAdam wrote:I'm glad to hear I'm not the only one interested in using a feature like this.
Based on my own research and conversations with Fortinet, the Fortigate will only use IP Reputation for the "Block Botnet Connections" feature of the AV profile. I have not been able to confirm if this database is automatically updated at the same time as the rest of the FortiGuard updates.
I feel like the FortiGate falls short when it comes to using the IP Reputation feature of FortiGuard.
Thanks for posting a follow up - it looks like you've reached the same conclusion that I did. My understanding is that there are more IP reputation features available on the FortiWeb and FortiADC appliances; perhaps this will come to the Fortigate in a future update.
I'm currently looking at strengthening our current security by quarantining IPs based on obvious malicious behaviour (detected vulnerability scans, SMTP authentication failures etc.). I took a sample from the logs of IPs generating nothing but malicious traffic against our live firewall and at least 80% were listed in the Fortinet IP database as known to be malicious (using the online lookup tool).
My strategy for now will be to configure an IPS sensor for all traffic to quarantine malicious IPs and run all traffic through it on a standalone IPv4 policy screening all inbound traffic; I suspect that it would be much easier to achieve this if there was a straightforward method of leveraging a local copy of the reputation database.
Where are you getting your online lookups? That link you gave just goes to the info page about FortiGuard IPRS. I found this lookup page via Google but I still fail to see the value if the FortiGate has no method of utilizing it.
FortiAdam wrote:Where are you getting your online lookups? That link you gave just goes to the info page about FortiGuard IPRS. I found this lookup page via Google but I still fail to see the value if the FortiGate has no method of utilizing it.
Oops - my bad. The page you found is the one that I meant to reference - think I fat-fingered the cut and paste (I've now corrected it).
It's value is indeed limited - I was just using it with my sample from live traffic to establish that being able to query a local database as part of processing inbound traffic would be extremely useful in the Fortigate.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1673 | |
1083 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.