Close this search box.

Block malicous IP’s based by ISDB reputation on FortiGate

It might be very helpful to create a policy which blocks traffic based an a reputation value of 1 or 2 here’s a way how to do that

Example policy

  • open the cli and add a new policy
  • replace srcintf (Internal interface or Zone) and dstintf (External interface or Zone) with your interfaces

config firewall policy
edit 0
set name “REP_1_deny_INT2EXT”
set srcintf “INTERNAL”
set dstintf “EXTERNAL”
set srcaddr “all”
set dstaddr “all”
set reputation-minimum 1
set schedule “always”
set service “ALL”
set logtraffic all
set comments “Deny traffic with a ISDB Reputation of 1 from Internal Zone to External zone reputation direction is destination (default setting)”

Move the Policy to the top of your policies, FortiGate, will first check if the destination is a Malicious IP based on the ISDB database IP reputation rating.


With the policy above all ISDB entries with a reputation of 1 will be blocked, if you set the reputation-minimum to 2 all IP’s with a reputation of 2 and 1 will be blocked.

Here’s an example of a policy with the ID 24 using the settings above.

Here’s one way to show a reputation ID for a specific IP address

click edit for the ISDB enry Malicious-Malicous.Server

select View/Edit Entries

Add the column Reputation and hover over one entry to show the Reputation ID

List of available IP reputation values

1 – Known malicious sites, such as phishing sites or sites related to botnet servers
2 – High risk services sites, such as TOR, proxy, and P2P
3 – Unverified sites
4 – Reputable social media sites, such as Facebook and Twitter
5 – Known and verified safe sites, such as Gmail, Amazon, and eBay

I would recommend you to create a top block policy with a IP reputation rating of 2, but it depends.

Fortinet KB Article: