Monitoring your network using client reputation

Client reputation allows you to monitor traffic as it flows through your FortiGate unit
to identify users who may be engaging in risky or dangerous behavior. A variety
of different areas can be monitored, depending on what concerns you have about
activity on your network. In this example, particular attention will be given to any
traffic containing peer-to-peer (P2P) downloading.

Client reputation only monitors risky activity, it does not block it. If you discover activity that you are concerned about,
additional action must be taken to stop it, such as applying a more restrictive security policy to the traffic.

1. Enabling logging to disk

2. Enabling client reputation
3. Results

Internet

Traffic monitored by
client reputation
FortiGate

Internal Network
Enabling logging to disk
In order to see your Client Reputation
Tracking results, logging to disk must be
enabled.

Go to Log & Report > Log Config > Log

Settings. Under Logging and Archiving,
enable Disk.

Enabling client reputation

Go to Security Profiles > Client
Reputation > Threat Level Definition.

Enable Client Reputation Tracking.

Assign a Risk Level Value for each
category, based on your traffic concerns and
needs. In the example, the value for P2P
Applications has been raised to Critical.
All other categories have been left at their
default level.

Enabling client reputation also enables the

Log Allowed Traffic setting for all
security policies. For more information,
see “Logging network traffic to gather
information” on page 36.
Results
After traffic has been monitoed for a day, go
to System > Dashboard > Threat History
to view the Threat History widget, which
shows a graph of monitored threats.

Any sections in red should be examined,

as they contain threats that are considered
Critical. To select this section, click on its
left side and then click on the right side.
Select a Drill-Down option to view more
information about the traffic and the client
reputation scores (the higher the score, the
riskier the behaviour).

Top Sources shows the sources of the risky

behaviour on your network.

Top Destinations shows the destinations

which have caused the risks.

Top Threat Types shows the threat

category and the risk level of the behaviour.