Fortinet Document Library

Version:

Version:


Table of Contents

Cookbook

Download PDF
Copy Link

External resources for DNS filter

External Resources provides the ability to dynamically import an external blacklist into an HTTP server. This feature enables FortiGate to retrieve a dynamic URL/Domain Name/IP Address/Malware hash list from an external HTTP server periodically. FortiGate uses these external resources as Web Filter's remote categories, DNS Filter's remote categories, policy address objects, or antivirus profile's malware definitions. If external resources are updated, FortiGate objects are also updated dynamically.

External Resource is divided into four types:

  • URL list (Type=category)
  • Domain Name List (Type=domain)
  • IP Address list (Type=address)
  • Malware hash list (Type=malware)

Remote categories and external IP block list

The DNS Filter profile can use two types of external resources: domain type and address type. Domain type resources file is a domain name list and address type resources file is an IP address list.

When a domain type external resource is configured, it is treated as a Remote Category in DNS Filter profile. If the domain name in DNS Query matches the entry in this external resource file, it is treated as the Remote Category and follows the action configured for this category in DNS Filter profile.

When an address type external resource is configured, it can be enabled as external-ip-blocklist in DNS Filter profile. If DNS resolved IP address in DNS response matches the entry in the external-ip-blocklist, this DNS Query is blocked by DNS Filter.

External Resources file format

File format requirements for External Resources file:

  • The file is in plain text format with each URL list/IP Address/Domain Name occupying one line.
  • The file is limited to 10 MB, and each line is limited to 128 KB (128 X 1024 entries). Line length limit is 4 KB characters.
  • The entry limit also follows the table size limitation defined by CMDB per model.
  • The External Resources update period can be set to 1 minute, hourly, daily, weekly, or monthly (43200 min, 30 days).
  • The External Resources type as category (URL list) and domain (Domain Name list) share the category number range 192-221 (total of 30 categories).
  • There is no duplicated entry validation for External Resources file (entry inside each file or inside different files).

For Domain Name list (Type=domain):

  • Simple wildcard is allowed in domain name list, from example: *.test.com.
  • IDN (International Domain Name) is supported.

For IP Address list (Type=address):

  • IP address can be single IP address, subnet address, or address range, for example, 192.168.1.1, 192.168.10.0/24,192.168.100.1-192.168.100.254.
  • An address can be IPv4 or IPv6 address, for Type=address, IPv6 address does not need to be in [ ] format.

Configure External Resources in the CLI

You can use CLI to configure External Resources files in an external HTTP server. Under Global, configure the External Resources file location and specify the resource type. DNS Filter can use domain type and address type external resources.

In the following example, configure a file "Ext-Resource-Type-as-Domain-1.txt" as type domain and it will be treated in DNS Filter as Remote Category name as "Ext-Resource-Type-as-Domain-1" and category-id 194. Configure another external resource file "Ext-Resource-Type-as-Address-1.txt" as type address, and this address object name is "Ext-Resource-Type-as-Address-1":

config system external-resource
   edit "Ext-Resource-Type-as-Domain-1"
      set type domain  <<<====
      set category 194 <<<====
      set resource "http://172.16.200.66/external-resources/Ext-Resource-Type-as-Domain-1.txt"
      set refresh-rate 1
   next
   edit "Ext-Resource-Type-as-Address-1"
      set status enable
      set type address  <<<====
      set username ''
      set password 
      set comments ''
      set resource "http://172.16.200.66/external-resources/Ext-Resource-Type-as-Address-1.txt"
      set refresh-rate 1
   next
end   

In each VDOM, domain type external resource can be used in DNS Filter as Remote Category. In the above example, Domain Name list in "Ext-Resource-Type-as-Domain-1.txt" file is treated as remote category (category-id 194). IP address list in "Ext-Resource-Type-as-Address-1.txt" file can be applied in DNS Filter as external-ip-blocklist. If DNS resolved IP address matches any entry in the list in that file, the DNS query is blocked. You should configure the action for this remote category and enable "external-ip-block-list" in a DNS Filter profile and apply it in the policy:

config dnsfilter profile
   edit "default"
      set comment "Default dns filtering."
      config ftgd-dns
         config filters
            edit 1
               set category 194 <<<==== domain list in Ext-Resource-Type-as-Domain-1.txt treated as remote category 194
               set action block
            next
            edit 2
               set category 12
            next
            edit 3
            next
         end
      end
      set block-botnet enable
      set external-ip-blocklist "Ext-Resource-Type-as-Address-1"  <<<==== IP address in "Ext-Resource-Type-as-Address-1" file.
   next
end  

config firewall policy
   edit 1
      set name "DNSFilter"
      set srcintf "port10"
      set dstintf "port9"
      set srcaddr "all"
      set dstaddr "all"
      set action accept
      set schedule "always"
      set service "ALL"
      set utm-status enable
      set logtraffic all
      set dnsfilter-profile "default"
      set profile-protocol-options "protocol"
      set ssl-ssh-profile "protocols"
      set nat enable
   next
end

Configure External Resources in the GUI

To configure, edit, or view the entries for external resources from GUI:
  1. Go to Global > Security Fabric > Fabric Connectors.
  2. Click Create New
  3. In the Threat Feeds section, select Domain Name or IP Address.

  4. Enter the Resource Name, URL, location of the resource file, resource authentication credentials, and Refresh Rate; and click OK to finish the Threat Feeds configuration.

  5. When the configuration is complete, double-click the Threat Feeds Object you just configured to open the Edit page; then click View Entries to view the entry list in the external resources file.

  6. Go to VDOM > DNS Filter and open a DNS Filter profile. The configured external resources displays and you can apply it in each DNS Filter Profile: remote category or external IP block lists.

Log Example

Remote categories

In VDOM > Log & Report > DNS Query, some domains that match the Remote Category list are rated as Remote Category, overriding their original domain rating.

CLI Example:
1: date=2019-01-18 time=13:49:12 logid="1501054802" type="utm" subtype="dns" eventtype="dns-response" level="notice" vd="vdom1" eventtime=1547848151 policyid=1 sessionid=82998 srcip=10.1.100.18 srcport=42985 srcintf="port10" srcintfrole="undefined" dstip=172.16.95.16 dstport=53 dstintf="port9" dstintfrole="undefined" proto=17 profile="default" xid=38234 qname="www.example.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="93.184.216.34" msg="Domain is monitored" action="pass" cat=196 catdesc="Ext-Resource-Type-as-Domain-3"

2: date=2019-01-18 time=13:49:12 logid="1500054000" type="utm" subtype="dns" eventtype="dns-query" level="information" vd="vdom1" eventtime=1547848151 policyid=1 sessionid=82998 srcip=10.1.100.18 srcport=42985 srcintf="port10" srcintfrole="undefined" dstip=172.16.95.16 dstport=53 dstintf="port9" dstintfrole="undefined" proto=17 profile="default" xid=38234 qname="www.example.com" qtype="A" qtypeval=1 qclass="IN"

External-IP-Block-Lists

You can use Address Type external resources as external-ip-blocklist in DNS Filter Profile. If DNS Query resolved IP Address matches the entry in the external-ip-blocklist, this DNS query is blocked.

CLI Example:
1: date=2019-01-18 time=13:50:53 logid="1501054400" type="utm" subtype="dns" eventtype="dns-response" level="warning" vd="vdom1" eventtime=1547848253 policyid=1 sessionid=83206 srcip=10.1.100.18 srcport=47281 srcintf="port10" srcintfrole="undefined" dstip=172.16.95.16 dstport=53 dstintf="port9" dstintfrole="undefined" proto=17 profile="default" xid=7501 qname="www.example.com" qtype="A" qtypeval=1 qclass="IN" msg="Domain was blocked because it is in the domain-filter list" action="redirect" domainfilteridx=0 domainfilterlist="Ext-Resource-Type-as-Address-1"

2: date=2019-01-18 time=13:50:53 logid="1500054000" type="utm" subtype="dns" eventtype="dns-query" level="information" vd="vdom1" eventtime=1547848253 policyid=1 sessionid=83206 srcip=10.1.100.18 srcport=47281 srcintf="port10" srcintfrole="undefined" dstip=172.16.95.16 dstport=53 dstintf="port9" dstintfrole="undefined" proto=17 profile="default" xid=7501 qname="www.example.com" qtype="A" qtypeval=1 qclass="IN"

External resources for DNS filter

External Resources provides the ability to dynamically import an external blacklist into an HTTP server. This feature enables FortiGate to retrieve a dynamic URL/Domain Name/IP Address/Malware hash list from an external HTTP server periodically. FortiGate uses these external resources as Web Filter's remote categories, DNS Filter's remote categories, policy address objects, or antivirus profile's malware definitions. If external resources are updated, FortiGate objects are also updated dynamically.

External Resource is divided into four types:

  • URL list (Type=category)
  • Domain Name List (Type=domain)
  • IP Address list (Type=address)
  • Malware hash list (Type=malware)

Remote categories and external IP block list

The DNS Filter profile can use two types of external resources: domain type and address type. Domain type resources file is a domain name list and address type resources file is an IP address list.

When a domain type external resource is configured, it is treated as a Remote Category in DNS Filter profile. If the domain name in DNS Query matches the entry in this external resource file, it is treated as the Remote Category and follows the action configured for this category in DNS Filter profile.

When an address type external resource is configured, it can be enabled as external-ip-blocklist in DNS Filter profile. If DNS resolved IP address in DNS response matches the entry in the external-ip-blocklist, this DNS Query is blocked by DNS Filter.

External Resources file format

File format requirements for External Resources file:

  • The file is in plain text format with each URL list/IP Address/Domain Name occupying one line.
  • The file is limited to 10 MB, and each line is limited to 128 KB (128 X 1024 entries). Line length limit is 4 KB characters.
  • The entry limit also follows the table size limitation defined by CMDB per model.
  • The External Resources update period can be set to 1 minute, hourly, daily, weekly, or monthly (43200 min, 30 days).
  • The External Resources type as category (URL list) and domain (Domain Name list) share the category number range 192-221 (total of 30 categories).
  • There is no duplicated entry validation for External Resources file (entry inside each file or inside different files).

For Domain Name list (Type=domain):

  • Simple wildcard is allowed in domain name list, from example: *.test.com.
  • IDN (International Domain Name) is supported.

For IP Address list (Type=address):

  • IP address can be single IP address, subnet address, or address range, for example, 192.168.1.1, 192.168.10.0/24,192.168.100.1-192.168.100.254.
  • An address can be IPv4 or IPv6 address, for Type=address, IPv6 address does not need to be in [ ] format.

Configure External Resources in the CLI

You can use CLI to configure External Resources files in an external HTTP server. Under Global, configure the External Resources file location and specify the resource type. DNS Filter can use domain type and address type external resources.

In the following example, configure a file "Ext-Resource-Type-as-Domain-1.txt" as type domain and it will be treated in DNS Filter as Remote Category name as "Ext-Resource-Type-as-Domain-1" and category-id 194. Configure another external resource file "Ext-Resource-Type-as-Address-1.txt" as type address, and this address object name is "Ext-Resource-Type-as-Address-1":

config system external-resource
   edit "Ext-Resource-Type-as-Domain-1"
      set type domain  <<<====
      set category 194 <<<====
      set resource "http://172.16.200.66/external-resources/Ext-Resource-Type-as-Domain-1.txt"
      set refresh-rate 1
   next
   edit "Ext-Resource-Type-as-Address-1"
      set status enable
      set type address  <<<====
      set username ''
      set password 
      set comments ''
      set resource "http://172.16.200.66/external-resources/Ext-Resource-Type-as-Address-1.txt"
      set refresh-rate 1
   next
end   

In each VDOM, domain type external resource can be used in DNS Filter as Remote Category. In the above example, Domain Name list in "Ext-Resource-Type-as-Domain-1.txt" file is treated as remote category (category-id 194). IP address list in "Ext-Resource-Type-as-Address-1.txt" file can be applied in DNS Filter as external-ip-blocklist. If DNS resolved IP address matches any entry in the list in that file, the DNS query is blocked. You should configure the action for this remote category and enable "external-ip-block-list" in a DNS Filter profile and apply it in the policy:

config dnsfilter profile
   edit "default"
      set comment "Default dns filtering."
      config ftgd-dns
         config filters
            edit 1
               set category 194 <<<==== domain list in Ext-Resource-Type-as-Domain-1.txt treated as remote category 194
               set action block
            next
            edit 2
               set category 12
            next
            edit 3
            next
         end
      end
      set block-botnet enable
      set external-ip-blocklist "Ext-Resource-Type-as-Address-1"  <<<==== IP address in "Ext-Resource-Type-as-Address-1" file.
   next
end  

config firewall policy
   edit 1
      set name "DNSFilter"
      set srcintf "port10"
      set dstintf "port9"
      set srcaddr "all"
      set dstaddr "all"
      set action accept
      set schedule "always"
      set service "ALL"
      set utm-status enable
      set logtraffic all
      set dnsfilter-profile "default"
      set profile-protocol-options "protocol"
      set ssl-ssh-profile "protocols"
      set nat enable
   next
end

Configure External Resources in the GUI

To configure, edit, or view the entries for external resources from GUI:
  1. Go to Global > Security Fabric > Fabric Connectors.
  2. Click Create New
  3. In the Threat Feeds section, select Domain Name or IP Address.

  4. Enter the Resource Name, URL, location of the resource file, resource authentication credentials, and Refresh Rate; and click OK to finish the Threat Feeds configuration.

  5. When the configuration is complete, double-click the Threat Feeds Object you just configured to open the Edit page; then click View Entries to view the entry list in the external resources file.

  6. Go to VDOM > DNS Filter and open a DNS Filter profile. The configured external resources displays and you can apply it in each DNS Filter Profile: remote category or external IP block lists.

Log Example

Remote categories

In VDOM > Log & Report > DNS Query, some domains that match the Remote Category list are rated as Remote Category, overriding their original domain rating.

CLI Example:
1: date=2019-01-18 time=13:49:12 logid="1501054802" type="utm" subtype="dns" eventtype="dns-response" level="notice" vd="vdom1" eventtime=1547848151 policyid=1 sessionid=82998 srcip=10.1.100.18 srcport=42985 srcintf="port10" srcintfrole="undefined" dstip=172.16.95.16 dstport=53 dstintf="port9" dstintfrole="undefined" proto=17 profile="default" xid=38234 qname="www.example.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="93.184.216.34" msg="Domain is monitored" action="pass" cat=196 catdesc="Ext-Resource-Type-as-Domain-3"

2: date=2019-01-18 time=13:49:12 logid="1500054000" type="utm" subtype="dns" eventtype="dns-query" level="information" vd="vdom1" eventtime=1547848151 policyid=1 sessionid=82998 srcip=10.1.100.18 srcport=42985 srcintf="port10" srcintfrole="undefined" dstip=172.16.95.16 dstport=53 dstintf="port9" dstintfrole="undefined" proto=17 profile="default" xid=38234 qname="www.example.com" qtype="A" qtypeval=1 qclass="IN"

External-IP-Block-Lists

You can use Address Type external resources as external-ip-blocklist in DNS Filter Profile. If DNS Query resolved IP Address matches the entry in the external-ip-blocklist, this DNS query is blocked.

CLI Example:
1: date=2019-01-18 time=13:50:53 logid="1501054400" type="utm" subtype="dns" eventtype="dns-response" level="warning" vd="vdom1" eventtime=1547848253 policyid=1 sessionid=83206 srcip=10.1.100.18 srcport=47281 srcintf="port10" srcintfrole="undefined" dstip=172.16.95.16 dstport=53 dstintf="port9" dstintfrole="undefined" proto=17 profile="default" xid=7501 qname="www.example.com" qtype="A" qtypeval=1 qclass="IN" msg="Domain was blocked because it is in the domain-filter list" action="redirect" domainfilteridx=0 domainfilterlist="Ext-Resource-Type-as-Address-1"

2: date=2019-01-18 time=13:50:53 logid="1500054000" type="utm" subtype="dns" eventtype="dns-query" level="information" vd="vdom1" eventtime=1547848253 policyid=1 sessionid=83206 srcip=10.1.100.18 srcport=47281 srcintf="port10" srcintfrole="undefined" dstip=172.16.95.16 dstport=53 dstintf="port9" dstintfrole="undefined" proto=17 profile="default" xid=7501 qname="www.example.com" qtype="A" qtypeval=1 qclass="IN"