Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.0.13 Administration Guide
    7.0.13
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Configuring a threat feed

    Configuring a threat feed

    A threat feed can be configured on the Security Fabric > External Connectors page. After clicking Create New, there are four threat feed options available: FortiGuard Category, IP Address, Domain Name, and Malware Hash.

    This topic includes two example threat feed configurations:

    Tooltip

    When multi VDOM mode is enabled, threat feed external connectors can be defined in the global VDOM or within a VDOM. See Threat feed connectors per VDOM for example configurations.

    Configuring a basic threat feed

    The threat feed will periodically fetch entries from the URI using HTTP or HTTPS.

    To create a threat feed in the GUI:

    1. Go to Security Fabric > External Connectors.

    2. Click Create New.

    3. In the Threat Feeds section, click on the required feed type.

    4. Configure the connector settings:

      Name

      Enter a name for the threat feed connector.

      URI of external resource

      Enter the link to the external resource file. HTTP, HTTPS, and STIX protocols are supported.

      HTTP basic authentication

      Enable/disable basic HTTP authentication. When enabled, enter the username and password in the requisite fields. See Configuring threat feed authentication for more information.

      Refresh Rate

      The time interval to refresh the external resource, in minutes (1 - 43200, default = 5).

      The applicable threat feed will be triggered to refresh between 0 minutes and the configured value. When the refresh is triggered, if another task is being processed be the schedule worker, the refresh task will be added to the queue.

      Comments

      Optionally, enter a description of the connector.

      Status

      Enable/disable the connector.

    5. Click OK.

    To create a threat feed in the CLI:
    config system external-resource
    edit <name>
        set status {enable | disable}
        set type {category | address | domain | malware}
        set category <integer, 192-221>
        set username <string>
        set password <string>
        set comments <string>
        *set resource <resource-uri>
        set user-agent <string>
        set server-identity-check {none | basic | full}
        set refresh-rate <integer>
        set source-ip <ip address>
        set interface-select-method {auto | sdwan | specify}
    next
end

    The parameter marked with an asterisk (*) is mandatory and must be filled in. The category parameter must be set when the type is either category or domain. Other parameters have either default values or are optional.

    To improve the security of the connection, it is recommended to enable server certificate validation (server-identity-check) either in basic or full mode.

    Configuring threat feed authentication

    Threat feed external connectors support username and password authentication.

    To enable username and password authentication in a threat feed connector:

    1. Go to Security Fabric > External Connectors.

    2. Click Create New, or edit an existing threat feed connector.

    3. Enable HTTP basic authentication

    4. Enter the Username and Password.

      Username and password authentication is enabled through connector settings.

    5. Click OK.

    HTTP header

    Additional headers can be included in the user-agent field. Use \r\n to separate the URL headers, for example:

    # set user-agent "Firefox\r\nheader1: test1\r\nheader2: test2"

    Sample request:

        HTTP request: http
    GET /filetypes/test.tar.gz HTTP/1.1
    Host: 172.17.219.10
    User-Agent: Firefox
    header1: test1
    header2: test2
    Accept: */*
    Connection: close

    Threat feed external connectors use this functionality to support authentication using an API key. The API key authentication can only be configured in the CLI with the set user-agent command. The API key must be appended with user-agent in the following format: “user-agent\r\nAPI-Key:SecretAPIkey”. API keys are typically used for programmatic access to the resource by an authorized requester. See What Is an API Key in the Fortinet Cyber Glossary for more information.

    To enable API key authentication in a threat feed connector:

    1. Configure the threat feed. See Configuring a basic threat feed.

    2. Configure the user-agent with an API key:

      config system external resources
    edit <name>
        set user-agent "Firefox\r\nAPI-Key:abcdef12345"
    next
end

    See Using the AusCERT malicious URL feed with an API key for an example.

    Viewing the update history

    To review the update history of a threat feed, go to Security Fabric > External Connectors, select a feed, and click Edit. The Last Update field shows the date and time that the feed was last updated.

    Click View Entries to view the current entries in the list.

    Previous
    Next

    Configuring a threat feed

    Configuring a threat feed

    A threat feed can be configured on the Security Fabric > External Connectors page. After clicking Create New, there are four threat feed options available: FortiGuard Category, IP Address, Domain Name, and Malware Hash.

    This topic includes two example threat feed configurations:

    Tooltip

    When multi VDOM mode is enabled, threat feed external connectors can be defined in the global VDOM or within a VDOM. See Threat feed connectors per VDOM for example configurations.

    Configuring a basic threat feed

    The threat feed will periodically fetch entries from the URI using HTTP or HTTPS.

    To create a threat feed in the GUI:

    1. Go to Security Fabric > External Connectors.

    2. Click Create New.

    3. In the Threat Feeds section, click on the required feed type.

    4. Configure the connector settings:

      Name

      Enter a name for the threat feed connector.

      URI of external resource

      Enter the link to the external resource file. HTTP, HTTPS, and STIX protocols are supported.

      HTTP basic authentication

      Enable/disable basic HTTP authentication. When enabled, enter the username and password in the requisite fields. See Configuring threat feed authentication for more information.

      Refresh Rate

      The time interval to refresh the external resource, in minutes (1 - 43200, default = 5).

      The applicable threat feed will be triggered to refresh between 0 minutes and the configured value. When the refresh is triggered, if another task is being processed be the schedule worker, the refresh task will be added to the queue.

      Comments

      Optionally, enter a description of the connector.

      Status

      Enable/disable the connector.

    5. Click OK.

    To create a threat feed in the CLI:
    config system external-resource
    edit <name>
        set status {enable | disable}
        set type {category | address | domain | malware}
        set category <integer, 192-221>
        set username <string>
        set password <string>
        set comments <string>
        *set resource <resource-uri>
        set user-agent <string>
        set server-identity-check {none | basic | full}
        set refresh-rate <integer>
        set source-ip <ip address>
        set interface-select-method {auto | sdwan | specify}
    next
end

    The parameter marked with an asterisk (*) is mandatory and must be filled in. The category parameter must be set when the type is either category or domain. Other parameters have either default values or are optional.

    To improve the security of the connection, it is recommended to enable server certificate validation (server-identity-check) either in basic or full mode.

    Configuring threat feed authentication

    Threat feed external connectors support username and password authentication.

    To enable username and password authentication in a threat feed connector:

    1. Go to Security Fabric > External Connectors.

    2. Click Create New, or edit an existing threat feed connector.

    3. Enable HTTP basic authentication

    4. Enter the Username and Password.

      Username and password authentication is enabled through connector settings.

    5. Click OK.

    HTTP header

    Additional headers can be included in the user-agent field. Use \r\n to separate the URL headers, for example:

    # set user-agent "Firefox\r\nheader1: test1\r\nheader2: test2"

    Sample request:

        HTTP request: http
    GET /filetypes/test.tar.gz HTTP/1.1
    Host: 172.17.219.10
    User-Agent: Firefox
    header1: test1
    header2: test2
    Accept: */*
    Connection: close

    Threat feed external connectors use this functionality to support authentication using an API key. The API key authentication can only be configured in the CLI with the set user-agent command. The API key must be appended with user-agent in the following format: “user-agent\r\nAPI-Key:SecretAPIkey”. API keys are typically used for programmatic access to the resource by an authorized requester. See What Is an API Key in the Fortinet Cyber Glossary for more information.

    To enable API key authentication in a threat feed connector:

    1. Configure the threat feed. See Configuring a basic threat feed.

    2. Configure the user-agent with an API key:

      config system external resources
    edit <name>
        set user-agent "Firefox\r\nAPI-Key:abcdef12345"
    next
end

    See Using the AusCERT malicious URL feed with an API key for an example.

    Viewing the update history

    To review the update history of a threat feed, go to Security Fabric > External Connectors, select a feed, and click Edit. The Last Update field shows the date and time that the feed was last updated.

    Click View Entries to view the current entries in the list.

    Previous
    Next