Fortinet black logo

Administration Guide

FortiGuard category threat feed

FortiGuard category threat feed

A FortiGuard category threat feed is a dynamic list that contains URLs and is periodically updated from an external server. The list is stored in text file format on an external server. After the FortiGate imports this list, it becomes available as a category in the Remote Categories group of web filter profiles that can be used to allow, block, or monitor URLs matching this category. A category threat feed can also be used solely or grouped with other categories to be used for exemptions within an SSL/SSH profile that performs full SSL inspection.

Multiple custom categories can be defined by creating a FortiGuard Category threat feed for each category.

Text file example:

http://example/com.url
https://example.com/url
http://example.com:8080/url

The file contains one URL per line. See External resources file format for more information about the URL list formatting style.

Example configuration

In this example, a list of URLs is imported using the FortiGuard category threat feed. The newly created threat feed is set to block in the web filter profile, and the web filter profile is applied to a firewall policy. Any traffic that passes through the FortiGate and matches the URLs in the threat feed list will be dropped.

To configure a FortiGuard category threat feed in the GUI:
  1. Go to Security Fabric > External Connectors and click Create New.

  2. In the Threat Feeds section, click FortiGuard Category.

  3. Set the Name to Custom-Remote-FGD.

  4. Set the Update method to External Feed.

  5. Set the URI of external resource to https://192.168.10.13/Override_URLs.txt.

  6. Configure the remaining settings as needed, then click OK.

  7. Edit the connector, then click View Entries to view the URL in the feed, which is https://www.facebook.com.

To configure a FortiGuard category threat feed in the CLI:
config system external-resource
    edit "Custom-Remote-FGD"
        set type category
        set category 192
        set resource "https://192.168.10.13/Override_URLs.txt"
        set server-identity-check {none | basic | full}
    next
end
Tooltip

To improve the security of the connection, it is recommended to enable server certificate validation (server-identity-check) in either basic or full mode. By default, it is set to none.

To apply a FortiGuard category threat feed in a web filter profile:
  1. Go to Security Profiles > Web Filter and create a new web filter profile, or edit an existing one.
  2. Enable FortiGuard category based filter.
  3. In the Remote Categories group, set the action for the Custom-Remote-FGD category to Block.

  4. Configure the remaining settings as needed, then click OK.
To apply the web filter profile in a firewall policy:
  1. Go to Policy & Objects > Firewall Policy and create a new policy, or edit an existing one.

  2. Configure the policy fields as required.

  3. Under Security Profiles, enable Web Filter and select the profile used in the previous procedure.

  4. Enable Log Allowed Traffic.

  5. Click OK.

URLs that match the FortiGuard category threat feed list are rated as the category matching the corresponding FortiGuard category threat feed, overriding their original domain rating.

To view the web filer logs:
  1. Go to Log & Report > Security Events and select Web Filter.

  2. View the log details in the GUI, or download the log file:

    1: date=2023-02-06 time=09:31:04 eventtime=1675704664795395841 tz="-0800" logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" policyid=1 poluuid="e8b310ba-914f-51ed-9014-7b2a116f29ad" policytype="policy" sessionid=509983 srcip=172.20.120.13 srcport=54645 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" srcuuid="3342cb44-9140-51ed-5dbe-8e0787bedeec" dstip=157.240.3.35 dstport=443 dstcountry="United States" dstintf="port3" dstintfrole="wan" dstuuid="3342cb44-9140-51ed-5dbe-8e0787bedeec" proto=6 httpmethod="GET" service="HTTPS" hostname="www.facebook.com" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763" profile="default" action="blocked" reqtype="referral" url="https://www.facebook.com/"referralurl="https://www.google.com/url?url=https://www.facebook.com/&q=facebook&rct=j&sa=X&source=suggest&ct=res&oi=suggest_nav&usg=AOvVaw3XzIKieZE-CH5KqZaBe775&oq=facebook&gs_l=heirloom-hp..0.5j0i512i433i131i10l3j0i512i433i10l3j0i512i433i131i10l2j0i512i433i10.1716.3397.0.5824.8.8.0.0.0.0.85.609.8.8.0....0...1ac.1.34.heirloom-hp..0.8.608.798UUeJkbN0" sentbyte=527 rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied category in policy" ratemethod="domain" cat=192 catdesc="Custom-Remote-FGD"

Applying a FortiGuard category threat feed in an SSL/SSH profile

A FortiGuard category threat feed can be applied in an SSL/SSH profile where full SSL inspection mode is used. The threat feed category can be selected in the exempt category list. HTTPS requests that match the URLs in the threat feed list will be exempted from SSL deep inspection. This example uses the Custom-Remote-FGD threat feed configured in the previous example.

To configure the SSL/SSH profile:
  1. Go to Security Profiles > SSL/SSH Inspection and create a new profile, or edit an existing one.

  2. Set the Inspection method to Full SSL Inspection.

  3. In the Exempt from SSL Inspection section, locate Web categories. Click the + and add Custom-Remote-FGD in the FORTIGUARD CATEGORY THREAT FEED section.

  4. Enable Log SSL exemptions.

  5. Click OK.

To apply the SSL/SSH inspection profile in a firewall policy:
  1. Go to Policy & Objects > Firewall Policy and create a new policy, or edit an existing one.

  2. Configure the policy fields as required.

  3. Under Security Profiles, set SSL Inspection to the profile used in the previous procedure.

  4. Enable Log Allowed Traffic.

  5. Click OK.

URLs that match the FortiGuard category threat feed list are rated as the FortiGuard category threat feed, overriding their original domain rating.

To view the SSL logs:
  1. Go to Log & Report > Security Events and select SSL.

  2. View the log details in the GUI, or download the log file:

    1: date=2023-02-06 time=11:23:54 eventtime=1675711434094550877 tz="-0800" logid="1701062009" type="utm" subtype="ssl" eventtype="ssl-exempt" level="notice" vd="root" action="exempt" policyid=1 poluuid="e8b310ba-914f-51ed-9014-7b2a116f29ad" policytype="policy" sessionid=531331 service="SSL" profile="custom-deep-inspection" srcip=172.20.120.13 srcport=52805 srccountry="Reserved" dstip=157.240.3.35 dstport=443 dstcountry="United States" srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="wan" srcuuid="3342cb44-9140-51ed-5dbe-8e0787bedeec" dstuuid="3342cb44-9140-51ed-5dbe-8e0787bedeec" proto=17 tlsver="tls1.3" sni="www.facebook.com" cipher="0x1301" authalgo="ecdsa" kxproto="ecdhe" eventsubtype="user-category" cat=192 catdesc="Custom-Remote-FGD" hostname="www.facebook.com" msg="SSL connection is exempted based on user category rating.

FortiGuard category threat feed

A FortiGuard category threat feed is a dynamic list that contains URLs and is periodically updated from an external server. The list is stored in text file format on an external server. After the FortiGate imports this list, it becomes available as a category in the Remote Categories group of web filter profiles that can be used to allow, block, or monitor URLs matching this category. A category threat feed can also be used solely or grouped with other categories to be used for exemptions within an SSL/SSH profile that performs full SSL inspection.

Multiple custom categories can be defined by creating a FortiGuard Category threat feed for each category.

Text file example:

http://example/com.url
https://example.com/url
http://example.com:8080/url

The file contains one URL per line. See External resources file format for more information about the URL list formatting style.

Example configuration

In this example, a list of URLs is imported using the FortiGuard category threat feed. The newly created threat feed is set to block in the web filter profile, and the web filter profile is applied to a firewall policy. Any traffic that passes through the FortiGate and matches the URLs in the threat feed list will be dropped.

To configure a FortiGuard category threat feed in the GUI:
  1. Go to Security Fabric > External Connectors and click Create New.

  2. In the Threat Feeds section, click FortiGuard Category.

  3. Set the Name to Custom-Remote-FGD.

  4. Set the Update method to External Feed.

  5. Set the URI of external resource to https://192.168.10.13/Override_URLs.txt.

  6. Configure the remaining settings as needed, then click OK.

  7. Edit the connector, then click View Entries to view the URL in the feed, which is https://www.facebook.com.

To configure a FortiGuard category threat feed in the CLI:
config system external-resource
    edit "Custom-Remote-FGD"
        set type category
        set category 192
        set resource "https://192.168.10.13/Override_URLs.txt"
        set server-identity-check {none | basic | full}
    next
end
Tooltip

To improve the security of the connection, it is recommended to enable server certificate validation (server-identity-check) in either basic or full mode. By default, it is set to none.

To apply a FortiGuard category threat feed in a web filter profile:
  1. Go to Security Profiles > Web Filter and create a new web filter profile, or edit an existing one.
  2. Enable FortiGuard category based filter.
  3. In the Remote Categories group, set the action for the Custom-Remote-FGD category to Block.

  4. Configure the remaining settings as needed, then click OK.
To apply the web filter profile in a firewall policy:
  1. Go to Policy & Objects > Firewall Policy and create a new policy, or edit an existing one.

  2. Configure the policy fields as required.

  3. Under Security Profiles, enable Web Filter and select the profile used in the previous procedure.

  4. Enable Log Allowed Traffic.

  5. Click OK.

URLs that match the FortiGuard category threat feed list are rated as the category matching the corresponding FortiGuard category threat feed, overriding their original domain rating.

To view the web filer logs:
  1. Go to Log & Report > Security Events and select Web Filter.

  2. View the log details in the GUI, or download the log file:

    1: date=2023-02-06 time=09:31:04 eventtime=1675704664795395841 tz="-0800" logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" policyid=1 poluuid="e8b310ba-914f-51ed-9014-7b2a116f29ad" policytype="policy" sessionid=509983 srcip=172.20.120.13 srcport=54645 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" srcuuid="3342cb44-9140-51ed-5dbe-8e0787bedeec" dstip=157.240.3.35 dstport=443 dstcountry="United States" dstintf="port3" dstintfrole="wan" dstuuid="3342cb44-9140-51ed-5dbe-8e0787bedeec" proto=6 httpmethod="GET" service="HTTPS" hostname="www.facebook.com" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763" profile="default" action="blocked" reqtype="referral" url="https://www.facebook.com/"referralurl="https://www.google.com/url?url=https://www.facebook.com/&q=facebook&rct=j&sa=X&source=suggest&ct=res&oi=suggest_nav&usg=AOvVaw3XzIKieZE-CH5KqZaBe775&oq=facebook&gs_l=heirloom-hp..0.5j0i512i433i131i10l3j0i512i433i10l3j0i512i433i131i10l2j0i512i433i10.1716.3397.0.5824.8.8.0.0.0.0.85.609.8.8.0....0...1ac.1.34.heirloom-hp..0.8.608.798UUeJkbN0" sentbyte=527 rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied category in policy" ratemethod="domain" cat=192 catdesc="Custom-Remote-FGD"

Applying a FortiGuard category threat feed in an SSL/SSH profile

A FortiGuard category threat feed can be applied in an SSL/SSH profile where full SSL inspection mode is used. The threat feed category can be selected in the exempt category list. HTTPS requests that match the URLs in the threat feed list will be exempted from SSL deep inspection. This example uses the Custom-Remote-FGD threat feed configured in the previous example.

To configure the SSL/SSH profile:
  1. Go to Security Profiles > SSL/SSH Inspection and create a new profile, or edit an existing one.

  2. Set the Inspection method to Full SSL Inspection.

  3. In the Exempt from SSL Inspection section, locate Web categories. Click the + and add Custom-Remote-FGD in the FORTIGUARD CATEGORY THREAT FEED section.

  4. Enable Log SSL exemptions.

  5. Click OK.

To apply the SSL/SSH inspection profile in a firewall policy:
  1. Go to Policy & Objects > Firewall Policy and create a new policy, or edit an existing one.

  2. Configure the policy fields as required.

  3. Under Security Profiles, set SSL Inspection to the profile used in the previous procedure.

  4. Enable Log Allowed Traffic.

  5. Click OK.

URLs that match the FortiGuard category threat feed list are rated as the FortiGuard category threat feed, overriding their original domain rating.

To view the SSL logs:
  1. Go to Log & Report > Security Events and select SSL.

  2. View the log details in the GUI, or download the log file:

    1: date=2023-02-06 time=11:23:54 eventtime=1675711434094550877 tz="-0800" logid="1701062009" type="utm" subtype="ssl" eventtype="ssl-exempt" level="notice" vd="root" action="exempt" policyid=1 poluuid="e8b310ba-914f-51ed-9014-7b2a116f29ad" policytype="policy" sessionid=531331 service="SSL" profile="custom-deep-inspection" srcip=172.20.120.13 srcport=52805 srccountry="Reserved" dstip=157.240.3.35 dstport=443 dstcountry="United States" srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="wan" srcuuid="3342cb44-9140-51ed-5dbe-8e0787bedeec" dstuuid="3342cb44-9140-51ed-5dbe-8e0787bedeec" proto=17 tlsver="tls1.3" sni="www.facebook.com" cipher="0x1301" authalgo="ecdsa" kxproto="ecdhe" eventsubtype="user-category" cat=192 catdesc="Custom-Remote-FGD" hostname="www.facebook.com" msg="SSL connection is exempted based on user category rating.