Threat feeds
Threat feeds dynamically import an external block lists from an HTTP server in the form of a plain text file. Block lists can be used to enforce special security requirements, such as long term policies to always block access to certain websites, or short term requirements to block access to known compromised locations. The lists are dynamically imported, so that any changes are immediately imported by FortiOS.
There are four types of threat feeds:
FortiGuard Category |
The file contains one URL per line. It is available as a Remote Category in Web Filter profiles and SSL inspection exemptions. Example: http://example/com.url https://example.com/url http://example.com:8080/url |
IP Address |
The file contains one IP/IP range/subnet per line. It is available as an External IP Block List in DNS Filter profiles, and as a Source/Destination in IPv4, IPv6, and proxy policies. Example: 192.168.2.100 172.200.1.4/16 172.16.1.2/24 172.16.8.1-172.16.8.100 2001:0db8::eade:27ff:fe04:9a01/120 2001:0db8::eade:27ff:fe04:aa01-2001:0db8::eade:27ff:fe04:ab01 |
Domain Name |
The file contains one domain per line. Simple wildcards are supported. It is available as a Remote Category in DNS Filter profiles. See External resources for DNS filter. Example: mail.*.example.com *-special.example.com www.*example.com example.com |
Malware Hash |
The file contains one hash per line in the format Note: For optimal performance, do not mix different hashes in the list. Only use one of MD5, SHA1, or SHA26. Example: 292b2e6bb027cd4ff4d24e338f5c48de dda37961870ce079defbf185eeeef905 Trojan-Ransom.Win32.Locky.abfl 3fa86717650a17d075d856a41b3874265f8e9eab Trojan-Ransom.Win32.Locky.abfl c35f705df9e475305c0984b05991d444450809c35dd1d96106bb8e7128b9082f Trojan-Ransom.Win32.Locky.abfl See External malware block list for antivirus for an example. |
External resources file format
File format requirements for an external resources file:
- The file is in plain text format with each URL list, IP address, and domain name occupying one line.
- The file is limited to 10 MB or 128 × 1024 (131072) entries, whichever limit is hit first.
- The entry limit also follows the table size limitation defined by CMDB per model.
- The external resources update period can be set to 1 minute, hourly, daily, weekly, or monthly (43200 min, 30 days).
- The external resources type as category (URL list) and domain (domain name list) share the category number range 192 to 221 (total of 30 categories).
- There is no duplicated entry validation for the external resources file (entry inside each file or inside different files).
- If the number of entries exceed the limit, a warning is displayed. Additional entries beyond the threshold will not be loaded.
For domain name list (type = domain):
- Simple wildcards are allowed in the domain name list, for example: *.test.com.
- IDN (international domain name) is supported.
For IP address list (type = address):
- The IP address can be a single IP address, subnet address, or address range. For example, 192.168.1.1, 192.168.10.0/24, or 192.168.100.1-192.168.100.254.
- The address can be an IPv4 or IPv6 address. An IPv6 address does not need to be in [ ] format.
To determine the external resource table size limit for your device:
# print tablesize ... system.external-resource: 0 256 512 ...
For this device, a FortiGate 60E, the global limit is 512 and the limit per VDOM is 256.
Create a threat feed
To create a threat feed in the GUI:
- Go to Security Fabric > Fabric Connectors.
- Click Create New.
- In the Thread Feeds section, click on the required feed type.
- Configure the connector settings:
Name
Enter a name for the threat feed connector.
URI of external resource
Enter the link to the external resource file. The file should be a plain text file with one entry on each line.
HTTP basic authentication
Enable/disable basic HTTP authentication. When enabled, enter the username and password in the requisite fields.
Refresh Rate
The time interval to refresh the external resource, in minutes (1 - 43200, default = 5).
Comments
Optionally, enter a description of the connector.
Status
Enable/disable the connector.
- Click OK.
To create a threat feed in the CLI:
config system external-resource edit <name> set status {enable | disable} set type {category | address | domain | malware} set category <integer> set username <string> set password <string> set comments [comments] *set resource <resource-uri> *set refresh-rate <integer> set source-ip <string> next end
Parameters marked with a * are mandatory and must be filled in. Other parameters either have default values or are optional.
Update history
To review the update history of a threat feed, go to Security Fabric > Fabric Connectors, select a feed, and click Edit. The Last Update field shows the date and time that the feed was last updated.
Click View Entries to view the current entries in the list.