Fortinet black logo

Administration Guide

Domain name threat feed

Domain name threat feed

A domain name threat feed is a dynamic list that contains domains and periodically updates from an external server. The list is stored in a text file format on an external server. After the FortiGate imports this list, it becomes available as a category in the Remote Categories group of DNS filter profiles that can be used to block or monitor domains matching this category. Multiple custom categories can be defined by creating a domain name threat feed for each category.

Text file example:

mail.*.example.com
*-special.example.com
www.*example.com
example.com

The file contains one domain name per line. See External resources file format for more information about the domain list formatting style.

Example configuration

In this example, a list of domain names is imported using the domain name threat feed. The newly created threat feed is set to monitor in the DNS filter profile, and the DNS filter profile is applied to a firewall policy. Any traffic that passes through the FortiGate and matches any of the domain names in the threat feed list will be monitored.

To configure a domain name threat feed in the GUI:
  1. Go to Security Fabric > External Connectors and click Create New.
  2. In the Threat Feeds section, click Domain Name.
  3. Set the Name to Domain_monitor_list.
  4. Set the Update method to External Feed.
  5. Set the URL of external resource to https://192.168.10.13/external_domain_list.txt.
  6. Configure the remaining settings as required, then click OK.
  7. Edit the connector, then click View Entries to view the domain names in the feed (fortinet.com and example.com).

To configure a domain name threat feed in the CLI:
config system external-resource
    edit "Domain_monitor_list”
        set type domain
        set category 194
        set resource "http://192.168.10.13/external_domain_list.txt"
        set server-identity-check {none | basic | full}
    next
end
Note

To improve the security of the connection, it is recommended to enable server certificate validation (server-identity-check) either in basic or full mode. By default, it is set to none.

To apply a domain name threat feed in a DNS filter profile:
  1. Go to Security Profiles > DNS Filter and create a new web filter profile, or edit an existing one.
  2. Enable FortiGuard Category Based Filter.
  3. In the Remote Categories group, set the action for the Domain_monitor_list category to Monitor.

  4. Configure the remaining settings as needed, then click OK.

    Note

    Selecting the Allow action for the FortiGuard Category Based Filter does not actually allow the category. It merely implies that no filter has been applied.

    We recommend avoid using the Allow action for remote categories, as it will not override the original action specified in the FortiGuard Category Based Filter.

    The Monitor and Block actions for remote categories can override the original action specified in the FortiGuard Category Based Filter.

To apply the DNS filter profile in a firewall policy:
  1. Go to Policy & Objects > Firewall Policy and create a new policy, or edit an existing one.

  2. Configure the policy fields as required.

  3. Under Security Profiles, enable DNS Filter and select the profile used in the previous procedure.

  4. Enable Log Allowed Traffic.

  5. Click OK.

Domains that match the domain threat feed list are rated as domain threat feed, overriding their original domain rating. Use the FortiGuard Secure DNS Service to check the original category of a domain name.

To view the DNS query logs:
  1. Go to Log & Report > Security Events and select DNS Query.

  2. View the log details in the GUI, or download the log file:

    1: date=2023-02-03 time=10:44:16 eventtime=1675449856658521042 tz="-0800" logid="1501054802" type="utm" subtype="dns" eventtype="dns-response" level="notice" vd="root" policyid=0 sessionid=265870 srcip=172.20.120.13 srcport=59662 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" dstip=172.20.120.12 dstport=53 dstcountry="Reserved" dstintf="root" dstintfrole="undefined" proto=17 profile="default" xid=35624 qname="example.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="93.184.216.34" msg="Domain is monitored" action="pass" cat=194 catdesc="Domain_monitor_list"
    2: date=2023-02-03 time=10:44:08 eventtime=1675449848683418535 tz="-0800" logid="1501054802" type="utm" subtype="dns" eventtype="dns-response" level="notice" vd="root" policyid=0 sessionid=265537 srcip=172.20.120.13 srcport=57434 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" dstip=172.20.120.12 dstport=53 dstcountry="Reserved" dstintf="root" dstintfrole="undefined" proto=17 profile="default" xid=31194 qname="fortinet.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="3.1.92.70, 52.220.222.172" msg="Domain is monitored" action="pass" cat=194 catdesc="Domain_monitor_list"

    Note that fortinet.com, which was originally in the Information Technology category with a default action set to allow in the FortiGuard Category Based Filter, has been overridden by the monitor action of the remote category.

Domain name threat feed

A domain name threat feed is a dynamic list that contains domains and periodically updates from an external server. The list is stored in a text file format on an external server. After the FortiGate imports this list, it becomes available as a category in the Remote Categories group of DNS filter profiles that can be used to block or monitor domains matching this category. Multiple custom categories can be defined by creating a domain name threat feed for each category.

Text file example:

mail.*.example.com
*-special.example.com
www.*example.com
example.com

The file contains one domain name per line. See External resources file format for more information about the domain list formatting style.

Example configuration

In this example, a list of domain names is imported using the domain name threat feed. The newly created threat feed is set to monitor in the DNS filter profile, and the DNS filter profile is applied to a firewall policy. Any traffic that passes through the FortiGate and matches any of the domain names in the threat feed list will be monitored.

To configure a domain name threat feed in the GUI:
  1. Go to Security Fabric > External Connectors and click Create New.
  2. In the Threat Feeds section, click Domain Name.
  3. Set the Name to Domain_monitor_list.
  4. Set the Update method to External Feed.
  5. Set the URL of external resource to https://192.168.10.13/external_domain_list.txt.
  6. Configure the remaining settings as required, then click OK.
  7. Edit the connector, then click View Entries to view the domain names in the feed (fortinet.com and example.com).

To configure a domain name threat feed in the CLI:
config system external-resource
    edit "Domain_monitor_list”
        set type domain
        set category 194
        set resource "http://192.168.10.13/external_domain_list.txt"
        set server-identity-check {none | basic | full}
    next
end
Note

To improve the security of the connection, it is recommended to enable server certificate validation (server-identity-check) either in basic or full mode. By default, it is set to none.

To apply a domain name threat feed in a DNS filter profile:
  1. Go to Security Profiles > DNS Filter and create a new web filter profile, or edit an existing one.
  2. Enable FortiGuard Category Based Filter.
  3. In the Remote Categories group, set the action for the Domain_monitor_list category to Monitor.

  4. Configure the remaining settings as needed, then click OK.

    Note

    Selecting the Allow action for the FortiGuard Category Based Filter does not actually allow the category. It merely implies that no filter has been applied.

    We recommend avoid using the Allow action for remote categories, as it will not override the original action specified in the FortiGuard Category Based Filter.

    The Monitor and Block actions for remote categories can override the original action specified in the FortiGuard Category Based Filter.

To apply the DNS filter profile in a firewall policy:
  1. Go to Policy & Objects > Firewall Policy and create a new policy, or edit an existing one.

  2. Configure the policy fields as required.

  3. Under Security Profiles, enable DNS Filter and select the profile used in the previous procedure.

  4. Enable Log Allowed Traffic.

  5. Click OK.

Domains that match the domain threat feed list are rated as domain threat feed, overriding their original domain rating. Use the FortiGuard Secure DNS Service to check the original category of a domain name.

To view the DNS query logs:
  1. Go to Log & Report > Security Events and select DNS Query.

  2. View the log details in the GUI, or download the log file:

    1: date=2023-02-03 time=10:44:16 eventtime=1675449856658521042 tz="-0800" logid="1501054802" type="utm" subtype="dns" eventtype="dns-response" level="notice" vd="root" policyid=0 sessionid=265870 srcip=172.20.120.13 srcport=59662 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" dstip=172.20.120.12 dstport=53 dstcountry="Reserved" dstintf="root" dstintfrole="undefined" proto=17 profile="default" xid=35624 qname="example.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="93.184.216.34" msg="Domain is monitored" action="pass" cat=194 catdesc="Domain_monitor_list"
    2: date=2023-02-03 time=10:44:08 eventtime=1675449848683418535 tz="-0800" logid="1501054802" type="utm" subtype="dns" eventtype="dns-response" level="notice" vd="root" policyid=0 sessionid=265537 srcip=172.20.120.13 srcport=57434 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" dstip=172.20.120.12 dstport=53 dstcountry="Reserved" dstintf="root" dstintfrole="undefined" proto=17 profile="default" xid=31194 qname="fortinet.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="3.1.92.70, 52.220.222.172" msg="Domain is monitored" action="pass" cat=194 catdesc="Domain_monitor_list"

    Note that fortinet.com, which was originally in the Information Technology category with a default action set to allow in the FortiGuard Category Based Filter, has been overridden by the monitor action of the remote category.