Fortinet white logo
Fortinet white logo

Administration Guide

IP address threat feed

IP address threat feed

An IP address threat feed is a dynamic list that contains IPv4 and IPv6 addresses, address ranges, and subnets. The list is periodically updated from an external server and stored in text file format on an external server. After the FortiGate imports this list, it can be used as a source or destination in firewall policies and proxy policies.It can also be used as an external IP block list in DNS filter profiles.

Text file example:

192.168.2.100
172.200.1.4/16
172.16.1.2/24
172.16.8.1-172.16.8.100
2001:0db8::eade:27ff:fe04:9a01/120
2001:0db8::eade:27ff:fe04:aa01-2001:0db8::eade:27ff:fe04:ab01

The file contains one IPv4 or IPv6 address, address range, or subnet per line. See External resources file format for more information about the IP list formatting style.

Example configuration

In this example, a list of destination IP addresses is imported using the IP address threat feed. The newly created threat feed is then used as a destination in a firewall policy with the action set to deny. Any traffic that passes through the FortiGate and matches the defined firewall policy will be dropped.

To configure an IP address threat feed in the GUI:
  1. Go to Security Fabric > External Connectors and click Create New.
  2. In the Threat Feeds section, click IP Address.
  3. Set the Name to AWS_IP_Blocklist.
  4. Set the URI of external resource to https://s3.us-east-2.amazonaws.com/ip-blocklist/ip.txt.
  5. Configure the remaining settings as required, then click OK.
  6. Edit the connector, then click View Entries to view the IP addresses in the feed.

To configure an IP address threat feed in the CLI:
config system external-resource
   edit "AWS_IP_Blocklist"
      set type address
      set resource "https://s3.us-east-2.amazonaws.com/ip-blocklist/ip.txt"
   next
end
To apply an IP address threat feed in a firewall policy:
  1. Go to Policy & Objects > Firewall Policy and create a new policy, or edit an existing one.

  2. Configure the policy fields as required.

  3. In the Destination field, click the + and select AWS_IP_Blocklist from the list (in the IP ADDRESS FEED section).

  4. Set Action to DENY.

  5. Enable Log Allowed Traffic.

  6. Click OK.

Applying an IP address threat feed as an external IP block list in a DNS filter profile

An IP address threat feed can be applied by enabling External IP Block Lists in a DNS filter profile. Any DNS query that passes through the FortiGate and resolves to any of the IP addresses in the threat feed list will be dropped.

To configure the DNS filter profile:
  1. Go to Security Profiles > DNS Filter and create a new profile, or edit an existing one.

  2. Enable External IP Block Lists.
  3. Click the + and select AWS_IP_Blocklist from the list.
  4. Click OK.

To apply the DNS filter profile in a firewall policy:
  1. Go to Policy & Objects > Firewall Policy and create a new policy, or edit an existing one.

  2. Configure the policy fields as required.

  3. Under Security Profiles, enable DNS Filter and select the profile used in the previous procedure.

  4. Enable Log Allowed Traffic.

  5. Click OK.

IP addresses that match the IP address threat feed list will be blocked.

To view the DNS query logs:
  1. Go to Log & Report > DNS Query.

  2. View the log details in the GUI, or download the log file:

    1: date=2023-02-06 time=15:06:50 eventtime=1675724810452621179 tz="-0800" logid="1501054400" type="utm" subtype="dns" eventtype="dns-response" level="warning" vd="root" policyid=0 sessionid=555999 srcip=172.20.120.13 srcport=59602 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" dstip=172.20.120.12 dstport=53 dstcountry="Reserved" dstintf="root" dstintfrole="undefined" proto=17 profile="default" xid=24532 qname="dns.google" qtype="A" qtypeval=1 qclass="IN" ipaddr="208.91.112.55" msg="Domain was blocked because it is in the domain-filter list" action="redirect" domainfilteridx=0 domainfilterlist="AWS_IP_Block_list"

IP address threat feed

IP address threat feed

An IP address threat feed is a dynamic list that contains IPv4 and IPv6 addresses, address ranges, and subnets. The list is periodically updated from an external server and stored in text file format on an external server. After the FortiGate imports this list, it can be used as a source or destination in firewall policies and proxy policies.It can also be used as an external IP block list in DNS filter profiles.

Text file example:

192.168.2.100
172.200.1.4/16
172.16.1.2/24
172.16.8.1-172.16.8.100
2001:0db8::eade:27ff:fe04:9a01/120
2001:0db8::eade:27ff:fe04:aa01-2001:0db8::eade:27ff:fe04:ab01

The file contains one IPv4 or IPv6 address, address range, or subnet per line. See External resources file format for more information about the IP list formatting style.

Example configuration

In this example, a list of destination IP addresses is imported using the IP address threat feed. The newly created threat feed is then used as a destination in a firewall policy with the action set to deny. Any traffic that passes through the FortiGate and matches the defined firewall policy will be dropped.

To configure an IP address threat feed in the GUI:
  1. Go to Security Fabric > External Connectors and click Create New.
  2. In the Threat Feeds section, click IP Address.
  3. Set the Name to AWS_IP_Blocklist.
  4. Set the URI of external resource to https://s3.us-east-2.amazonaws.com/ip-blocklist/ip.txt.
  5. Configure the remaining settings as required, then click OK.
  6. Edit the connector, then click View Entries to view the IP addresses in the feed.

To configure an IP address threat feed in the CLI:
config system external-resource
   edit "AWS_IP_Blocklist"
      set type address
      set resource "https://s3.us-east-2.amazonaws.com/ip-blocklist/ip.txt"
   next
end
To apply an IP address threat feed in a firewall policy:
  1. Go to Policy & Objects > Firewall Policy and create a new policy, or edit an existing one.

  2. Configure the policy fields as required.

  3. In the Destination field, click the + and select AWS_IP_Blocklist from the list (in the IP ADDRESS FEED section).

  4. Set Action to DENY.

  5. Enable Log Allowed Traffic.

  6. Click OK.

Applying an IP address threat feed as an external IP block list in a DNS filter profile

An IP address threat feed can be applied by enabling External IP Block Lists in a DNS filter profile. Any DNS query that passes through the FortiGate and resolves to any of the IP addresses in the threat feed list will be dropped.

To configure the DNS filter profile:
  1. Go to Security Profiles > DNS Filter and create a new profile, or edit an existing one.

  2. Enable External IP Block Lists.
  3. Click the + and select AWS_IP_Blocklist from the list.
  4. Click OK.

To apply the DNS filter profile in a firewall policy:
  1. Go to Policy & Objects > Firewall Policy and create a new policy, or edit an existing one.

  2. Configure the policy fields as required.

  3. Under Security Profiles, enable DNS Filter and select the profile used in the previous procedure.

  4. Enable Log Allowed Traffic.

  5. Click OK.

IP addresses that match the IP address threat feed list will be blocked.

To view the DNS query logs:
  1. Go to Log & Report > DNS Query.

  2. View the log details in the GUI, or download the log file:

    1: date=2023-02-06 time=15:06:50 eventtime=1675724810452621179 tz="-0800" logid="1501054400" type="utm" subtype="dns" eventtype="dns-response" level="warning" vd="root" policyid=0 sessionid=555999 srcip=172.20.120.13 srcport=59602 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" dstip=172.20.120.12 dstport=53 dstcountry="Reserved" dstintf="root" dstintfrole="undefined" proto=17 profile="default" xid=24532 qname="dns.google" qtype="A" qtypeval=1 qclass="IN" ipaddr="208.91.112.55" msg="Domain was blocked because it is in the domain-filter list" action="redirect" domainfilteridx=0 domainfilterlist="AWS_IP_Block_list"