Creating a third party blocklist provider workflow
In this example, you will learn how to use your FortiManager to create a third party blocklist provider workflow.
Overview
You must create a script that will handle the entire workflow. Make sure the script can convert the third party blocklist into a FortiManager XML file.
From an external server, you must schedule the periodic execution of that script. Using the communication tools provided by the third party blocklist provider, the script will fetch the blocklist from the third party.
To create a script to handle a third party blocklist provider workflow:
- Convert the blocklist to a FortiManager XML file:
The script will convert the blocklist to a FortiManager XML file. This XML file allows you to assign a category to each URL in the list, in addition to a default category. The default category is used as the return value when there is no match.
Example of the FortiManager XML file format:
<custom_url_list version="1.0"> <head> <default_cate>142</default_cate> <description>the description</description> </head> <body> <url_entry> <url>http://www.url-0000001.com</url> <cate>79</cate> </url_entry> <url_entry> <url>http://www.url-0000001.com</url> <cate>28</cate> </url_entry> </body> </custom_url_list>
The category value in <cate></cate> could be either a normal web filter category or a local category.
- Upload the XML file into FortiManager:
The script uses SSH to connect to FortiManager and upload the XML file.
CLI command:
execute fmupdate <ftp|scp|tftp> import custom-url <xml filename> <ftp|scp|tftp details>
Example:
# execute fmupdate scp import custom-url 20M-custom-url.xml 000.000.000.000 00 tmp/FORTIGUARD my_login my_password
This operation will replace the current <custom-url> package!
Do you want to continue? (y/n)y
Start getting file from remote SCP Host...
SCP transfer successful.
Packing installation is in process...This could take some time.
lccclient command result:Response=202|
Update successfully
In this example, FortiManager will upload the file from the following file:
scp://my_login:my_password@000.000.000.000:00/temp/FORTIGUARD/20M-custom-url.xml
- Configure FortiManager to only use its local FortiGuard database or local blocklist database:
- Select one of the following:
- Local FortiGuard database
- Local blocklist database
- Or both
config fmupdate custom-url-list
set db_selection <fortiguard-db|custom-url|both>
end
- Select one of the following:
- Test custom URLs managed by FortiManager:
- Use the CLI in FortiManager to send categorization requests for custom URLs managed by FortiManager.
Example of the CLI command set:
# diagnose fmupdate fgd-url-rating FGT SN 1 www.foo.com
url rating flags: 0x2 (2:EXACT_MATCH, 1:PREFIX_MATCH)
rates according to url: 0x37 0x00 0x00 0x00
rates according to ip: 0x00 0x00 0x00 0x00
num_dots:-1, num_slash:-1
database version: 16.45562
0 ms
The FGT SN can be any FortiGate SN.
The returned category is in a hexadecimal output: 0x37.
In decimal format, the category is 56 or Web Hosting.
The memory capacity of the unit determines the number of URLs FortiManager can manage.
- Use the CLI in FortiManager to send categorization requests for custom URLs managed by FortiManager.
- Specify FortiManager as the FortiGuard server in FortiGate
- Go to your FortiGate CLI console and execute the following commands:
config system centralmanagement
set type fortimanager
set {<IP_address> | <FQDN_address>}
config serverlist
edit 1
set servertype
update rating
set serveraddress {<IP_address> | <FQDN_address>}
next
end
set includedefaultservers disable
end
- Go to your FortiGate CLI console and execute the following commands:
|
|
For further FortiManager information, refer to the FortiManager Administration Guides available on the Fortinet Document Library. |