Block malicous IP’s based by ISDB reputation on FortiGate

It might be very helpful to create a policy which blocks traffic based an a reputation value of 1 or 2 here’s a way how to do that

Example policy

  • open the cli and add a new policy
  • replace srcintf (Internal interface or Zone) and dstintf (External interface or Zone) with your interfaces

config firewall policy
edit 0
set name “REP_1_deny_INT2EXT”
set srcintf “INTERNAL”
set dstintf “EXTERNAL”
set srcaddr “all”
set dstaddr “all”
set reputation-minimum 1
set schedule “always”
set service “ALL”
set logtraffic all
set comments “Deny traffic with a ISDB Reputation of 1 from Internal Zone to External zone reputation direction is destination (default setting)”
next
end

Move the Policy to the top of your policies, FortiGate, will first check if the destination is a Malicious IP based on the ISDB database IP reputation rating.

Explanation

With the policy above all ISDB entries with a reputation of 1 will be blocked, if you set the reputation-minimum to 2 all IP’s with a reputation of 2 and 1 will be blocked.

Here’s an example of a policy with the ID 24 using the settings above.

Here’s one way to show a reputation ID for a specific IP address

click edit for the ISDB enry Malicious-Malicous.Server

select View/Edit Entries

Add the column Reputation and hover over one entry to show the Reputation ID

List of available IP reputation values

1 – Known malicious sites, such as phishing sites or sites related to botnet servers
2 – High risk services sites, such as TOR, proxy, and P2P
3 – Unverified sites
4 – Reputable social media sites, such as Facebook and Twitter
5 – Known and verified safe sites, such as Gmail, Amazon, and eBay

I would recommend you to create a top block policy with a IP reputation rating of 2, but it depends.

Fortinet KB Article:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-IP-reputation-in-policies-and-fallthrough/ta-p/193898