Fortinet black logo

Administration Guide

Configuring a threat feed

Configuring a threat feed

A threat feed can be configured on the Security Fabric > External Connectors page. After clicking Create New, there are four threat feed options available: FortiGuard Category, IP Address, Domain Name, and Malware Hash.

This topic includes two example threat feed configurations:

Tooltip

When multi VDOM mode is enabled, threat feed external connectors can be defined in the global VDOM or within a VDOM. See Threat feed connectors per VDOM for example configurations.

Configuring a basic threat feed

The threat feed will periodically fetch entries from the URI using HTTP or HTTPS.

To create a threat feed in the GUI:
  1. Go to Security Fabric > External Connectors.

  2. Click Create New.

  3. In the Threat Feeds section, click on the required feed type.

  4. Configure the connector settings:

    Name

    Enter a name for the threat feed connector.

    URI of external resource

    Enter the link to the external resource file. HTTP, HTTPS, and STIX protocols are supported.

    HTTP basic authentication

    Enable/disable basic HTTP authentication. When enabled, enter the username and password in the requisite fields. See Configuring threat feed authentication for more information.

    Refresh Rate

    The time interval to refresh the external resource, in minutes (1 - 43200, default = 5).

    The applicable threat feed will be triggered to refresh between 0 minutes and the configured value. When the refresh is triggered, if another task is being processed be the schedule worker, the refresh task will be added to the queue.

    Comments

    Optionally, enter a description of the connector.

    Status

    Enable/disable the connector.

  5. Click OK.

To create a threat feed in the CLI:
config system external-resource
    edit <name>
        set status {enable | disable}
        set type {category | address | domain | malware}
        set category <integer, 192-221>
        set username <string>
        set password <string>
        set comments <string>
        *set resource <resource-uri>
        set user-agent <string>
        set server-identity-check {none | basic | full}
        set refresh-rate <integer>
        set source-ip <ip address>
        set interface-select-method {auto | sdwan | specify}
    next
end

The parameter marked with an asterisk (*) is mandatory and must be filled in. The category parameter must be set when the type is either category or domain. Other parameters have either default values or are optional.

To improve the security of the connection, it is recommended to enable server certificate validation (server-identity-check) either in basic or full mode.

Configuring threat feed authentication

Threat feed external connectors support username and password authentication.

To enable username and password authentication in a threat feed connector:
  1. Go to Security Fabric > External Connectors.

  2. Click Create New, or edit an existing threat feed connector.

  3. Enable HTTP basic authentication

  4. Enter the Username and Password.

    Username and password authentication is enabled through connector settings.

  5. Click OK.

Viewing the update history

To review the update history of a threat feed, go to Security Fabric > External Connectors, select a feed, and click Edit. The Last Update field shows the date and time that the feed was last updated.

Click View Entries to view the current entries in the list.

Configuring a threat feed

A threat feed can be configured on the Security Fabric > External Connectors page. After clicking Create New, there are four threat feed options available: FortiGuard Category, IP Address, Domain Name, and Malware Hash.

This topic includes two example threat feed configurations:

Tooltip

When multi VDOM mode is enabled, threat feed external connectors can be defined in the global VDOM or within a VDOM. See Threat feed connectors per VDOM for example configurations.

Configuring a basic threat feed

The threat feed will periodically fetch entries from the URI using HTTP or HTTPS.

To create a threat feed in the GUI:
  1. Go to Security Fabric > External Connectors.

  2. Click Create New.

  3. In the Threat Feeds section, click on the required feed type.

  4. Configure the connector settings:

    Name

    Enter a name for the threat feed connector.

    URI of external resource

    Enter the link to the external resource file. HTTP, HTTPS, and STIX protocols are supported.

    HTTP basic authentication

    Enable/disable basic HTTP authentication. When enabled, enter the username and password in the requisite fields. See Configuring threat feed authentication for more information.

    Refresh Rate

    The time interval to refresh the external resource, in minutes (1 - 43200, default = 5).

    The applicable threat feed will be triggered to refresh between 0 minutes and the configured value. When the refresh is triggered, if another task is being processed be the schedule worker, the refresh task will be added to the queue.

    Comments

    Optionally, enter a description of the connector.

    Status

    Enable/disable the connector.

  5. Click OK.

To create a threat feed in the CLI:
config system external-resource
    edit <name>
        set status {enable | disable}
        set type {category | address | domain | malware}
        set category <integer, 192-221>
        set username <string>
        set password <string>
        set comments <string>
        *set resource <resource-uri>
        set user-agent <string>
        set server-identity-check {none | basic | full}
        set refresh-rate <integer>
        set source-ip <ip address>
        set interface-select-method {auto | sdwan | specify}
    next
end

The parameter marked with an asterisk (*) is mandatory and must be filled in. The category parameter must be set when the type is either category or domain. Other parameters have either default values or are optional.

To improve the security of the connection, it is recommended to enable server certificate validation (server-identity-check) either in basic or full mode.

Configuring threat feed authentication

Threat feed external connectors support username and password authentication.

To enable username and password authentication in a threat feed connector:
  1. Go to Security Fabric > External Connectors.

  2. Click Create New, or edit an existing threat feed connector.

  3. Enable HTTP basic authentication

  4. Enter the Username and Password.

    Username and password authentication is enabled through connector settings.

  5. Click OK.

Viewing the update history

To review the update history of a threat feed, go to Security Fabric > External Connectors, select a feed, and click Edit. The Last Update field shows the date and time that the feed was last updated.

Click View Entries to view the current entries in the list.