
Make Fortinet Efficient Against Active Threats
ELLIO is a real-time attacker infrastructure intelligence layer that feeds Fortinet Security Fabric with actionable IP context for automated blocking, detection, and enrichment.
Highly adaptive & customizable
IP blocking for FortiGate security.
ELLIO transforms FortiGate from a reactive NGFW relying on periodically updated reputation feeds into a proactive perimeter enforcement system capable of blocking active attacker infrastructure in near real time through high-frequency EDL integration and behavioral IP intelligence.
Early Protection Against Active Attackers
ELLIO enhances FortiGate intelligence with proactive blocking of IPs involved in active malicious activity, reconnaissance, and mass exploitation. Threats are continuously evaluated, and IPs are automatically removed when no longer posing risk.
High Blocking Precision with Always-Fresh Business Service IP Feeds
Fine-tune automation using always up-to-date IP lists from cloud providers, scanners, and SaaS services to improve blocking accuracy and reduce false positives. Define policies broadly or granularly - ELLIO keeps IP ranges automatically updated and applied where needed.
Custom Security Automation Without Manual Effort
ELLIO Blocklist Automation enables highly customizable control over what to block or always allow without manual syncing or operational effort. Create your own blocklists and allowlists, or merge ELLIO threat intelligence with existing non-ELLIO IP blocklists. ELLIO keeps everything continuously updated and running automatically.
| FortiGuard Intelligence | ELLIO Intelligence | |
|---|---|---|
| protection capabilities | ||
| Threat Intelligence Focus | Known Bad Internet | Currently Attacking Internet |
| Attack Coverage | Known malware infrastructure, Established botnets, Phishing campaigns, Spam infrastructure, Anonymizers | Emerging new attackers, Live scanners, Live brute-force / exploit activity, Cloud-based ephemeral infrastructure, Reconnaissance waves before attacks, Ephemeral VPS / cloud abuse |
| Known Malicious IP | Yes | Yes |
| Currently Active Malicious IPs | Partial | Core Capability |
| Live Reconnaissance IPs | Partial | Core Capability |
| IPs Involved in Active Mass Exloitation Campaigns | Partial | Core Capability |
| SHH Brute-Force Infrastructure | Partial | Core Capability |
| VPN Attack Source | Partial | Core Capability |
| Cloud/VPS Abuse Detection | Partial | Core Capabilities |
| Infrastructure Clustering | No | Yes |
| MANAGING CAPABILITIES | ||
| Integration | Native FortiGate Integration | via EDL (External Dynamic List) |
| Custom-controlled automation | via FortiManager | Yes |
| Customize Blocking and Allowing for Scanners, Cloud, and SaaS Services | No | Yes |
FortiSIEM, FortiSOAR, FortiSOC
Clean automation & fast investigation
need reliable data.
Transforms IP-by-IP investigation into infrastructure-level, campaign-aware threat understanding, reducing noise and accelerating decision-making.
Same attacker, new IPs
Reality: FortiGate logs show repeated attacks from changing IPs across regions and ISPs.
How ELLIO helps: It correlates changing IP activity across FortiGate and FortiSIEM logs into persistent attacker infrastructure clusters instead of isolated firewall events.
Result: Earlier detection of coordinated attacks and more effective blocking decisions.
Block or investigate?
Reality: SOC analysts reviewing FortiAnalyzer or FortiSIEM events must manually validate IP reputation before escalation.
How ELLIO helps: ELLIO adds real-time attacker classification and latest context directly into FortiSOC cases, removing manual IP reputation checks.
Result: Faster decisions and lower analyst workload.
Cloud IPs triggering alerts with no clear malicious context.
Reality: FortiSIEM / FortiAnalyzer shows repeated events from AWS/Azure IPs. Analysts waste time checking if it is real abuse or shared cloud traffic.
How ELLIO helps: ELLIO enriches FortiSIEM and FortiAnalyzer events with infrastructure intelligence, distinguishing legitimate cloud traffic from active attacker behavior.
Result: Faster investigation and less OSINT validation.