Fortinet black logo

Administration Guide

Home FortiGate / FortiOS 7.0.11 Administration Guide

Configuring a threat feed

7.0.11
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
Copy Link
Copy Doc ID 0a84888f-c361-11ed-8e6d-fa163e15d75b:379433
Download PDF

Configuring a threat feed

A threat feed can be configured on the Security Fabric > External Connectors page. After clicking Create New, there are four threat feed options available: FortiGuard Category, IP Address, Domain Name, and Malware Hash.

This topic includes two example threat feed configurations:

Tooltip

When multi VDOM mode is enabled, threat feed external connectors can be defined in the global VDOM or within a VDOM. See Threat feed connectors per VDOM for example configurations.

Configuring a basic threat feed

The threat feed will periodically fetch entries from the URI using HTTP or HTTPS.

To create a threat feed in the GUI:

  1. Go to Security Fabric > External Connectors.

  2. Click Create New.

  3. In the Threat Feeds section, click on the required feed type.

  4. Configure the connector settings:

    Name

    Enter a name for the threat feed connector.

    URI of external resource

    Enter the link to the external resource file. HTTP, HTTPS, and STIX protocols are supported.

    HTTP basic authentication

    Enable/disable basic HTTP authentication. When enabled, enter the username and password in the requisite fields. See Configuring threat feed authentication for more information.

    Refresh Rate

    The time interval to refresh the external resource, in minutes (1 - 43200, default = 5).

    The applicable threat feed will be triggered to refresh between 0 minutes and the configured value. When the refresh is triggered, if another task is being processed be the schedule worker, the refresh task will be added to the queue.

    Comments

    Optionally, enter a description of the connector.

    Status

    Enable/disable the connector.

  5. Click OK.

To create a threat feed in the CLI:
config system external-resource
    edit <name>
        set status {enable | disable}
        set type {category | address | domain | malware}
        set category <integer, 192-221>
        set username <string>
        set password <string>
        set comments <string>
        *set resource <resource-uri>
        set user-agent <string>
        set server-identity-check {none | basic | full}
        set refresh-rate <integer>
        set source-ip <ip address>
        set interface-select-method {auto | sdwan | specify}
    next
end

The parameter marked with an asterisk (*) is mandatory and must be filled in. The category parameter must be set when the type is either category or domain. Other parameters have either default values or are optional.

To improve the security of the connection, it is recommended to enable server certificate validation (server-identity-check) either in basic or full mode.

Configuring threat feed authentication

Threat feed external connectors support username and password authentication.

To enable username and password authentication in a threat feed connector:

  1. Go to Security Fabric > External Connectors.

  2. Click Create New, or edit an existing threat feed connector.

  3. Enable HTTP basic authentication

  4. Enter the Username and Password.

    Username and password authentication is enabled through connector settings.

  5. Click OK.

HTTP header

Additional headers can be included in the user-agent field. Use \r\n to separate the URL headers, for example:

# set user-agent "Firefox\r\nheader1: test1\r\nheader2: test2"

Sample request:

    HTTP request: http
    GET /filetypes/test.tar.gz HTTP/1.1
    Host: 172.17.219.10
    User-Agent: Firefox
    header1: test1
    header2: test2
    Accept: */*
    Connection: close

Threat feed external connectors use this functionality to support authentication using an API key. The API key authentication can only be configured in the CLI with the set user-agent command. The API key must be appended with user-agent in the following format: “user-agent\r\nAPI-Key:SecretAPIkey”. API keys are typically used for programmatic access to the resource by an authorized requester. See What Is an API Key in the Fortinet Cyber Glossary for more information.

To enable API key authentication in a threat feed connector:

  1. Configure the threat feed. See Configuring a basic threat feed.

  2. Configure the user-agent with an API key:

    config system external resources
    edit <name>
        set user-agent "Firefox\r\nAPI-Key:abcdef12345"
    next
end

See Using the AusCERT malicious URL feed with an API key for an example.

Viewing the update history

To review the update history of a threat feed, go to Security Fabric > External Connectors, select a feed, and click Edit. The Last Update field shows the date and time that the feed was last updated.

Click View Entries to view the current entries in the list.

Previous
Next

Configuring a threat feed

A threat feed can be configured on the Security Fabric > External Connectors page. After clicking Create New, there are four threat feed options available: FortiGuard Category, IP Address, Domain Name, and Malware Hash.

This topic includes two example threat feed configurations:

Tooltip

When multi VDOM mode is enabled, threat feed external connectors can be defined in the global VDOM or within a VDOM. See Threat feed connectors per VDOM for example configurations.

Configuring a basic threat feed

The threat feed will periodically fetch entries from the URI using HTTP or HTTPS.

To create a threat feed in the GUI:

  1. Go to Security Fabric > External Connectors.

  2. Click Create New.

  3. In the Threat Feeds section, click on the required feed type.

  4. Configure the connector settings:

    Name

    Enter a name for the threat feed connector.

    URI of external resource

    Enter the link to the external resource file. HTTP, HTTPS, and STIX protocols are supported.

    HTTP basic authentication

    Enable/disable basic HTTP authentication. When enabled, enter the username and password in the requisite fields. See Configuring threat feed authentication for more information.

    Refresh Rate

    The time interval to refresh the external resource, in minutes (1 - 43200, default = 5).

    The applicable threat feed will be triggered to refresh between 0 minutes and the configured value. When the refresh is triggered, if another task is being processed be the schedule worker, the refresh task will be added to the queue.

    Comments

    Optionally, enter a description of the connector.

    Status

    Enable/disable the connector.

  5. Click OK.

To create a threat feed in the CLI:
config system external-resource
    edit <name>
        set status {enable | disable}
        set type {category | address | domain | malware}
        set category <integer, 192-221>
        set username <string>
        set password <string>
        set comments <string>
        *set resource <resource-uri>
        set user-agent <string>
        set server-identity-check {none | basic | full}
        set refresh-rate <integer>
        set source-ip <ip address>
        set interface-select-method {auto | sdwan | specify}
    next
end

The parameter marked with an asterisk (*) is mandatory and must be filled in. The category parameter must be set when the type is either category or domain. Other parameters have either default values or are optional.

To improve the security of the connection, it is recommended to enable server certificate validation (server-identity-check) either in basic or full mode.

Configuring threat feed authentication

Threat feed external connectors support username and password authentication.

To enable username and password authentication in a threat feed connector:

  1. Go to Security Fabric > External Connectors.

  2. Click Create New, or edit an existing threat feed connector.

  3. Enable HTTP basic authentication

  4. Enter the Username and Password.

    Username and password authentication is enabled through connector settings.

  5. Click OK.

HTTP header

Additional headers can be included in the user-agent field. Use \r\n to separate the URL headers, for example:

# set user-agent "Firefox\r\nheader1: test1\r\nheader2: test2"

Sample request:

    HTTP request: http
    GET /filetypes/test.tar.gz HTTP/1.1
    Host: 172.17.219.10
    User-Agent: Firefox
    header1: test1
    header2: test2
    Accept: */*
    Connection: close

Threat feed external connectors use this functionality to support authentication using an API key. The API key authentication can only be configured in the CLI with the set user-agent command. The API key must be appended with user-agent in the following format: “user-agent\r\nAPI-Key:SecretAPIkey”. API keys are typically used for programmatic access to the resource by an authorized requester. See What Is an API Key in the Fortinet Cyber Glossary for more information.

To enable API key authentication in a threat feed connector:

  1. Configure the threat feed. See Configuring a basic threat feed.

  2. Configure the user-agent with an API key:

    config system external resources
    edit <name>
        set user-agent "Firefox\r\nAPI-Key:abcdef12345"
    next
end

See Using the AusCERT malicious URL feed with an API key for an example.

Viewing the update history

To review the update history of a threat feed, go to Security Fabric > External Connectors, select a feed, and click Edit. The Last Update field shows the date and time that the feed was last updated.

Click View Entries to view the current entries in the list.

Previous
Next