Fortinet Document Library

Version:

Version:


Table of Contents

Cookbook

Download PDF
Copy Link

Threat feeds

Threat feeds dynamically import an external block lists from an HTTP server in the form of a text file. Block lists can be used to enforce special security requirements, such as long term policies to always block access to certain websites, or short term requirements to block access to known compromised locations. The lists are dynamically imported, so that any changes are immediately imported by FortiOS.

There are four types of threat feeds:

FortiGuard Category

The file contains one URL per line. It is available as a Remote Category in Web Filter profiles and SSL inspection exemptions.

Example:

http://example/com.url
https://example.com/url
http://example.com:8080/url

IP Address

The file contains one IP/IP range/subnet per line. It is available as an External IP Block List in DNS Filter profiles, and as a Source/Destination in IPv4, IPv6, and proxy policies.

Example:

192.168.2.100
172.200.1.4/16
172.16.1.2/24
172.16.8.1-172.16.8.100
2001:0db8::eade:27ff:fe04:9a01/120
2001:0db8::eade:27ff:fe04:aa01-2001:0db8::eade:27ff:fe04:ab01

Domain Name

The file contains one domain per line. Simple wildcards are supported. It is available as a Remote Category in DNS Filter profiles.

Example:

mail.*.example.com
*-special.example.com
www.*example.com
example.com

Malware Hash

The file contains one hash per line in the format <hex hash> [optional hash description]. Each line supports MD5, SHA1, and SHA256 hex hashes. It is automatically used for Virus Outbreak Prevention on antivirus profiles with Use External Malware Block List enabled.

Note: For optimal performance, do not mix different hashes in the list. Only use one of MD5, SHA1, or SHA26.

Example:

292b2e6bb027cd4ff4d24e338f5c48de

dda37961870ce079defbf185eeeef905 Trojan-Ransom.Win32.Locky.abfl

3fa86717650a17d075d856a41b3874265f8e9eab Trojan-Ransom.Win32.Locky.abfl

c35f705df9e475305c0984b05991d444450809c35dd1d96106bb8e7128b9082f Trojan-Ransom.Win32.Locky.abfl

See External malware blocklist for antivirus for an example.

To create a threat feed in the GUI:
  1. Go to Security Fabric > Fabric Connectors.
  2. Click Create New.
  3. In the Thread Feeds section, click on the required feed type.
  4. Configure the connector settings:

    Name

    Enter a name for the threat feed connector.

    URI of external resource

    Enter the link to the external resource file. The file should be a plain text file with one entry on each line.

    HTTP basic authentication

    Enable/disable basic HTTP authentication. When enabled, enter the username and password in the requisite fields.

    Refresh Rate

    The time interval to refresh the external resource, in minutes (1 - 43200, default = 5).

    Comments

    Optionally, enter a description of the connector.

    Status

    Enable/disable the connector.

  5. Click OK.
To create a threat feed in the CLI:
config system external-resource
    edit <name>
        set status {enable | disable}
        set type {category | address | domain | malware}
        set category <integer>
        set username <string>
        set password <string>
        set comments [comments]
        *set resource <resource-uri>
        *set refresh-rate <integer>
        set source-ip <string>
    next
end

Parameters marked with a * are mandatory and must be filled in. Other parameters either have default values or are optional.

Update history

To review the update history of a threat feed, go to Security Fabric > Fabric Connectors, select a feed, and click Edit. The Last Update field shows the date and time that the feed was last updated.

Click View Entries to view the current entries in the list.

Threat feeds

Threat feeds dynamically import an external block lists from an HTTP server in the form of a text file. Block lists can be used to enforce special security requirements, such as long term policies to always block access to certain websites, or short term requirements to block access to known compromised locations. The lists are dynamically imported, so that any changes are immediately imported by FortiOS.

There are four types of threat feeds:

FortiGuard Category

The file contains one URL per line. It is available as a Remote Category in Web Filter profiles and SSL inspection exemptions.

Example:

http://example/com.url
https://example.com/url
http://example.com:8080/url

IP Address

The file contains one IP/IP range/subnet per line. It is available as an External IP Block List in DNS Filter profiles, and as a Source/Destination in IPv4, IPv6, and proxy policies.

Example:

192.168.2.100
172.200.1.4/16
172.16.1.2/24
172.16.8.1-172.16.8.100
2001:0db8::eade:27ff:fe04:9a01/120
2001:0db8::eade:27ff:fe04:aa01-2001:0db8::eade:27ff:fe04:ab01

Domain Name

The file contains one domain per line. Simple wildcards are supported. It is available as a Remote Category in DNS Filter profiles.

Example:

mail.*.example.com
*-special.example.com
www.*example.com
example.com

Malware Hash

The file contains one hash per line in the format <hex hash> [optional hash description]. Each line supports MD5, SHA1, and SHA256 hex hashes. It is automatically used for Virus Outbreak Prevention on antivirus profiles with Use External Malware Block List enabled.

Note: For optimal performance, do not mix different hashes in the list. Only use one of MD5, SHA1, or SHA26.

Example:

292b2e6bb027cd4ff4d24e338f5c48de

dda37961870ce079defbf185eeeef905 Trojan-Ransom.Win32.Locky.abfl

3fa86717650a17d075d856a41b3874265f8e9eab Trojan-Ransom.Win32.Locky.abfl

c35f705df9e475305c0984b05991d444450809c35dd1d96106bb8e7128b9082f Trojan-Ransom.Win32.Locky.abfl

See External malware blocklist for antivirus for an example.

To create a threat feed in the GUI:
  1. Go to Security Fabric > Fabric Connectors.
  2. Click Create New.
  3. In the Thread Feeds section, click on the required feed type.
  4. Configure the connector settings:

    Name

    Enter a name for the threat feed connector.

    URI of external resource

    Enter the link to the external resource file. The file should be a plain text file with one entry on each line.

    HTTP basic authentication

    Enable/disable basic HTTP authentication. When enabled, enter the username and password in the requisite fields.

    Refresh Rate

    The time interval to refresh the external resource, in minutes (1 - 43200, default = 5).

    Comments

    Optionally, enter a description of the connector.

    Status

    Enable/disable the connector.

  5. Click OK.
To create a threat feed in the CLI:
config system external-resource
    edit <name>
        set status {enable | disable}
        set type {category | address | domain | malware}
        set category <integer>
        set username <string>
        set password <string>
        set comments [comments]
        *set resource <resource-uri>
        *set refresh-rate <integer>
        set source-ip <string>
    next
end

Parameters marked with a * are mandatory and must be filled in. Other parameters either have default values or are optional.

Update history

To review the update history of a threat feed, go to Security Fabric > Fabric Connectors, select a feed, and click Edit. The Last Update field shows the date and time that the feed was last updated.

Click View Entries to view the current entries in the list.