It might be very helpful to create a policy which blocks traffic based an a reputation value of 1 or 2 here’s a way how to do that
Example policy
- open the cli and add a new policy
- replace srcintf (Internal interface or Zone) and dstintf (External interface or Zone) with your interfaces
config firewall policy
edit 0
set name “REP_1_deny_INT2EXT”
set srcintf “INTERNAL”
set dstintf “EXTERNAL”
set srcaddr “all”
set dstaddr “all”
set reputation-minimum 1
set schedule “always”
set service “ALL”
set logtraffic all
set comments “Deny traffic with a ISDB Reputation of 1 from Internal Zone to External zone reputation direction is destination (default setting)”
next
end
Move the Policy to the top of your policies, FortiGate, will first check if the destination is a Malicious IP based on the ISDB database IP reputation rating.
Explanation
With the policy above all ISDB entries with a reputation of 1 will be blocked, if you set the reputation-minimum to 2 all IP’s with a reputation of 2 and 1 will be blocked.
Here’s an example of a policy with the ID 24 using the settings above.
Here’s one way to show a reputation ID for a specific IP address
click edit for the ISDB enry Malicious-Malicous.Server
select View/Edit Entries
Add the column Reputation and hover over one entry to show the Reputation ID
List of available IP reputation values
1 – Known malicious sites, such as phishing sites or sites related to botnet servers
2 – High risk services sites, such as TOR, proxy, and P2P
3 – Unverified sites
4 – Reputable social media sites, such as Facebook and Twitter
5 – Known and verified safe sites, such as Gmail, Amazon, and eBay
I would recommend you to create a top block policy with a IP reputation rating of 2, but it depends.
Fortinet KB Article:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-IP-reputation-in-policies-and-fallthrough/ta-p/193898
