Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    CLI Reference

    7.6.4
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.0
    6.0.4
    6.0.3
    6.0.1
    6.0.0

    system threat-feed

    system threat-feed

    Use this command to configure threat feeds.

    Threat feeds are plain text files that contain a list of security threats. Threat feeds can be hosted on FortiClient EMS, third party servers, or your own HTTP/HTTPS web server. In this way, FortiMail units can utilize security information from many vendors, security communities, and specialist teams in your own organization. Once FortiMail is connected to threat feeds, you can select them when you configure security features such as antivirus file signatures and antispam IP reputation and URL filters.

    FortiMail periodically synchronizes with threat feeds and automatically imports changes.

    Note

    If the threat feed's web server becomes unreachable and there is a connection status error, then the FortiMail continues to use its existing local cache of the threat feed, regardless of reboot. To get threat feed updates, you must re-establish network connectivity.

    Syntax

    config system threat-feed

    edit <profile_name>

    [set comment<comment_str>]

    set status {enable | disable}

    set type {ip-address | malware-hash | url-category}

    set resource-url <feed_url>

    set server-identity-check {basic | full | none}

    set username <user_str>

    set password <password_str>

    [set update-method {pull}]

    set update-interval <minutes_int>

    next

    end

    Variable

    Description

    Default

    <profile_name>

    Enter the name of the profile.

    comment<comment_str>

    		 Optional description of the local category.

    password <password_str>

    If the server requires authentication, enter the password that FortiMail will use to connect.

    resource-url <feed_url>

    Enter the URI of the threat feed.

    FortiMail also supports OASIS STIX/TAXII format. To use the TAXII protocol, use the stix:// prefix instead of https://.

    server-identity-check {basic | full | none}

    Select the level of server certificate validation strictness, either:

    • none — No certificate validation.
    • basic — Validate the server certificate. It must not be revoked or expired, and must be signed by a trusted CA. See also system certificate ca.
    • full — In addition to validation requirements in basic, the domain name in resource-url <feed_url> must match the common name (CN) field in the server certificate.
    Note

    To harden security, select full.

    none

    status {enable | disable}

    Enable or disable the threat feed.

    enable

    type {ip-address | malware-hash | url-category}

    Select the type of threat feed, either:

    • ip-address — IPv4 or IPv6 addresses.
    • malware-hash — MD5, SHA1, or SHA256 file checksums.
    • url-category — URIs such as https://example.com:4443/url/*

    For details on the types and their required file format, see the FortiMail Administration Guide.

    ip-address

    update-interval <minutes_int>

    Enter the frequency in minutes of synchronization with the threat feed. Default value is 30 minutes. Valid range is from 1 to 43200 minutes (30 days).

    30

    update-method {pull}

    Currently, only the pull method of threat feed synchronization is supported.

    pull

    username <user_str>

    If the server requires authentication, enter the username that FortiMail will use to connect.

    Related topics

    file signature

    profile antispam

    system webfilter customized-category

    system threat-feed

    Previous
    Next

    system threat-feed

    system threat-feed

    Use this command to configure threat feeds.

    Threat feeds are plain text files that contain a list of security threats. Threat feeds can be hosted on FortiClient EMS, third party servers, or your own HTTP/HTTPS web server. In this way, FortiMail units can utilize security information from many vendors, security communities, and specialist teams in your own organization. Once FortiMail is connected to threat feeds, you can select them when you configure security features such as antivirus file signatures and antispam IP reputation and URL filters.

    FortiMail periodically synchronizes with threat feeds and automatically imports changes.

    Note

    If the threat feed's web server becomes unreachable and there is a connection status error, then the FortiMail continues to use its existing local cache of the threat feed, regardless of reboot. To get threat feed updates, you must re-establish network connectivity.

    Syntax

    config system threat-feed

    edit <profile_name>

    [set comment<comment_str>]

    set status {enable | disable}

    set type {ip-address | malware-hash | url-category}

    set resource-url <feed_url>

    set server-identity-check {basic | full | none}

    set username <user_str>

    set password <password_str>

    [set update-method {pull}]

    set update-interval <minutes_int>

    next

    end

    Variable

    Description

    Default

    <profile_name>

    Enter the name of the profile.

    comment<comment_str>

    		 Optional description of the local category.

    password <password_str>

    If the server requires authentication, enter the password that FortiMail will use to connect.

    resource-url <feed_url>

    Enter the URI of the threat feed.

    FortiMail also supports OASIS STIX/TAXII format. To use the TAXII protocol, use the stix:// prefix instead of https://.

    server-identity-check {basic | full | none}

    Select the level of server certificate validation strictness, either:

    • none — No certificate validation.
    • basic — Validate the server certificate. It must not be revoked or expired, and must be signed by a trusted CA. See also system certificate ca.
    • full — In addition to validation requirements in basic, the domain name in resource-url <feed_url> must match the common name (CN) field in the server certificate.
    Note

    To harden security, select full.

    none

    status {enable | disable}

    Enable or disable the threat feed.

    enable

    type {ip-address | malware-hash | url-category}

    Select the type of threat feed, either:

    • ip-address — IPv4 or IPv6 addresses.
    • malware-hash — MD5, SHA1, or SHA256 file checksums.
    • url-category — URIs such as https://example.com:4443/url/*

    For details on the types and their required file format, see the FortiMail Administration Guide.

    ip-address

    update-interval <minutes_int>

    Enter the frequency in minutes of synchronization with the threat feed. Default value is 30 minutes. Valid range is from 1 to 43200 minutes (30 days).

    30

    update-method {pull}

    Currently, only the pull method of threat feed synchronization is supported.

    pull

    username <user_str>

    If the server requires authentication, enter the username that FortiMail will use to connect.

    Related topics

    file signature

    profile antispam

    system webfilter customized-category

    system threat-feed

    Previous
    Next