Configuring a threat feed
A threat feed can be configured on the Security Fabric > External Connectors page. After clicking Create New, there are four threat feed options available: FortiGuard Category, IP Address, Domain Name, and Malware Hash.
This topic includes two example threat feed configurations:
When multi VDOM mode is enabled, threat feed external connectors can be defined in the global VDOM or within a VDOM. See Threat feed connectors per VDOM for example configurations. |
Configuring a basic threat feed
The threat feed will periodically fetch entries from the URI using HTTP or HTTPS.
To create a threat feed in the GUI:
-
Go to Security Fabric > External Connectors.
-
Click Create New.
-
In the Threat Feeds section, click on the required feed type.
-
Configure the connector settings:
Name
Enter a name for the threat feed connector.
URI of external resource
Enter the link to the external resource file. HTTP, HTTPS, and STIX protocols are supported.
HTTP basic authentication
Enable/disable basic HTTP authentication. When enabled, enter the username and password in the requisite fields. See Configuring threat feed authentication for more information.
Refresh Rate
The time interval to refresh the external resource, in minutes (1 - 43200, default = 5).
The applicable threat feed will be triggered to refresh between 0 minutes and the configured value. When the refresh is triggered, if another task is being processed be the schedule worker, the refresh task will be added to the queue.
Comments
Optionally, enter a description of the connector.
Status
Enable/disable the connector.
-
Click OK.
To create a threat feed in the CLI:
config system external-resource edit <name> set status {enable | disable} set type {category | address | domain | malware} set category <integer, 192-221> set username <string> set password <string> set comments <string> *set resource <resource-uri> set user-agent <string> set server-identity-check {none | basic | full} set refresh-rate <integer> set source-ip <ip address> set interface-select-method {auto | sdwan | specify} next end
The parameter marked with an asterisk (*) is mandatory and must be filled in. The category
parameter must be set when the type
is either category
or domain
. Other parameters have either default values or are optional.
To improve the security of the connection, it is recommended to enable server certificate validation (server-identity-check
) either in basic or full mode.
Configuring threat feed authentication
Threat feed external connectors support username and password authentication.
To enable username and password authentication in a threat feed connector:
-
Go to Security Fabric > External Connectors.
-
Click Create New, or edit an existing threat feed connector.
-
Enable HTTP basic authentication
-
Enter the Username and Password.
-
Click OK.
Viewing the update history
To review the update history of a threat feed, go to Security Fabric > External Connectors, select a feed, and click Edit. The Last Update field shows the date and time that the feed was last updated.
Click View Entries to view the current entries in the list.