Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiProxy 7.4.9 Administration Guide
    7.4.9
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.0
    7.0.19
    7.0.17
    7.0.0
    2.0.0
    1.2.0
    1.1.0
    1.0.0

    Threat feeds

    Threat feeds

    FortiProxy can dynamically import external threat intelligence lists from an HTTP/HTTPS server as plain text files. Once imported, these threat feeds can be used to enforce specific security policies, such as long-term policies to always allow or block access to certain websites, or short-term requirements to dynamically block access to known compromised locations as threat intelligence updates. Threat feeds are regularly synchronized with the external server. Any changes on the remote server will be imported into FortiProxy based on the configured update interval.

    Note

    If the FortiProxy loses connectivity with the external server, the threat feed will continue to function despite the Connection Status error or reboot. However, the threat feed will not be updated and no new entries will be added until the connection is restored.

    FortiProxy supports the following types of threat feeds:

    FortiGuard Category

    Dynamically imports a text file from an external server, which contains one URL per line. See FortiGuard category threat feed for more information.

    IP Address

    Dynamically imports a text file from an external server, which contains one IP/IP range/subnet per line. See IP address threat feed for more information.

    Domain Name

    Dynamically imports a text file from an external server, which contains one domain per line. Simple wildcards are supported. See Domain name threat feed for more information.

    Malware Hash

    Dynamically imports a text file from an external server, which contains one hash per line (MD5, SHA1, or SHA256) in the format <hex hash> [optional hash description]. See Malware hash threat feed for more information.

    URL List

    Dynamically imports a text file containing one URL per line, supporting wildcards. See URL list threat feed for details.
    Note

    FortiProxy does not support STIX/TAXII format feeds, MAC address feeds, or EMS-integrated feeds.

    FortiManager can host threat feeds. See External resources in the FortiManager Administration Guide.

    External resources file format

    All HTTP/HTTPS external resources files must meet the following format requirements:

    • The file is in plain text format with each entry on its own line.

      Comments can be added by using the number sign, for example: # This is a test.

    • The file size and the number of entries are subject to device model limitations. See External resource entry limit.

    • The external resources update period can be set to 1 minute, hourly, daily, weekly, or monthly (43200 min, 30 days).

    • The external resources types "FortiGuard Category" and "Domain Name" share the category number range 192 to 221 (total of 30 categories).

    • No duplicate entry validation is performed. Duplicate entries will appear multiple times.

    • If the number of entries exceed the limit, a warning is displayed. Additional entries beyond the threshold will not be loaded.

    The following table lists format guidelines specific to each threat feed type:

    Threat feed type

    Format requirements
    FortiGuard Category / URL List (type = category)

    • Each line contains a single URL entry.

    • The scheme is optional, and will be truncated if found; https:// and http:// are not required.

    • Wildcards are allowed at the beginning or end or the URL, for example: *.domain.com or domain.com.*.

    • IDN and UTF encoding URL are supported .

    • The URL can be an IPv4 or IPv6 address. An IPv6 URL must be in [ ] format.
    IP Address (type = address):

    • Each line can contain a single IP address, IP subnet, or IP range.

    • The IP address can be a single IP address, subnet address, or address range.

      For example, 192.168.1.1, 192.168.10.0/24, or 192.168.100.1-192.168.100.254.

    • The address can be an IPv4 or IPv6 address. An IPv6 address does not need to be in [ ] format.
    Domain Name (type = domain)

    • Each line contains a single domain name.

    • Simple wildcards are allowed in the domain name list, for example: *.test.com.

    • IDN (international domain name) is supported.
    Malware Hash (type = malware) Malware hash signature entries must be separated into each line. Each line can contain one MD5, SHA1, or SHA256 hash, with an optional description separated by spaces. Valid examples:
    # MD5 Entry with hash description
aa67243f746e5d76f68ec809355ec234  md5_sample1

# SHA1 Entry with hash description
a57983cb39e25ab80d7d3dc05695dd0ee0e49766  sha1_sample2

# SHA256 Entry with hash description
ae9bc0b4c5639d977d720e4271da06b50f7c60d1e2070e9c75cc59ab30e49379  sha256_sample1

# Entry without hash description
0289b0d967cb7b1fb1451339c7b9818a621903090e0020366ab415c549212521

# Invalid entries
7688499dc71b932feb126347289c0b8a_md5_sample2
7614e98badca10b5e2d08f8664c519b7a906fbd5180ea5d04a82fce9796a4b87sha256_sample3

    External resource entry limit

    The number of entries is globally limited to 200,000 and the file size is globally limited to 16 MB for all external resource entries. If Virtual Domains (VDOMs) are enabled, global entries are counted first, followed by VDOM entries in alphabetical order of VDOM names.

    When the maximum number of entries is exceeded, the most recently considered entries are truncated unless you manually reorder the entries using the move CLI command. For example:

    config system external-resource
    move "entry2" before "entry1"
end
    Previous
    Next

    Threat feeds

    Threat feeds

    FortiProxy can dynamically import external threat intelligence lists from an HTTP/HTTPS server as plain text files. Once imported, these threat feeds can be used to enforce specific security policies, such as long-term policies to always allow or block access to certain websites, or short-term requirements to dynamically block access to known compromised locations as threat intelligence updates. Threat feeds are regularly synchronized with the external server. Any changes on the remote server will be imported into FortiProxy based on the configured update interval.

    Note

    If the FortiProxy loses connectivity with the external server, the threat feed will continue to function despite the Connection Status error or reboot. However, the threat feed will not be updated and no new entries will be added until the connection is restored.

    FortiProxy supports the following types of threat feeds:

    FortiGuard Category

    Dynamically imports a text file from an external server, which contains one URL per line. See FortiGuard category threat feed for more information.

    IP Address

    Dynamically imports a text file from an external server, which contains one IP/IP range/subnet per line. See IP address threat feed for more information.

    Domain Name

    Dynamically imports a text file from an external server, which contains one domain per line. Simple wildcards are supported. See Domain name threat feed for more information.

    Malware Hash

    Dynamically imports a text file from an external server, which contains one hash per line (MD5, SHA1, or SHA256) in the format <hex hash> [optional hash description]. See Malware hash threat feed for more information.

    URL List

    Dynamically imports a text file containing one URL per line, supporting wildcards. See URL list threat feed for details.
    Note

    FortiProxy does not support STIX/TAXII format feeds, MAC address feeds, or EMS-integrated feeds.

    FortiManager can host threat feeds. See External resources in the FortiManager Administration Guide.

    External resources file format

    All HTTP/HTTPS external resources files must meet the following format requirements:

    • The file is in plain text format with each entry on its own line.

      Comments can be added by using the number sign, for example: # This is a test.

    • The file size and the number of entries are subject to device model limitations. See External resource entry limit.

    • The external resources update period can be set to 1 minute, hourly, daily, weekly, or monthly (43200 min, 30 days).

    • The external resources types "FortiGuard Category" and "Domain Name" share the category number range 192 to 221 (total of 30 categories).

    • No duplicate entry validation is performed. Duplicate entries will appear multiple times.

    • If the number of entries exceed the limit, a warning is displayed. Additional entries beyond the threshold will not be loaded.

    The following table lists format guidelines specific to each threat feed type:

    Threat feed type

    Format requirements
    FortiGuard Category / URL List (type = category)

    • Each line contains a single URL entry.

    • The scheme is optional, and will be truncated if found; https:// and http:// are not required.

    • Wildcards are allowed at the beginning or end or the URL, for example: *.domain.com or domain.com.*.

    • IDN and UTF encoding URL are supported .

    • The URL can be an IPv4 or IPv6 address. An IPv6 URL must be in [ ] format.
    IP Address (type = address):

    • Each line can contain a single IP address, IP subnet, or IP range.

    • The IP address can be a single IP address, subnet address, or address range.

      For example, 192.168.1.1, 192.168.10.0/24, or 192.168.100.1-192.168.100.254.

    • The address can be an IPv4 or IPv6 address. An IPv6 address does not need to be in [ ] format.
    Domain Name (type = domain)

    • Each line contains a single domain name.

    • Simple wildcards are allowed in the domain name list, for example: *.test.com.

    • IDN (international domain name) is supported.
    Malware Hash (type = malware) Malware hash signature entries must be separated into each line. Each line can contain one MD5, SHA1, or SHA256 hash, with an optional description separated by spaces. Valid examples:
    # MD5 Entry with hash description
aa67243f746e5d76f68ec809355ec234  md5_sample1

# SHA1 Entry with hash description
a57983cb39e25ab80d7d3dc05695dd0ee0e49766  sha1_sample2

# SHA256 Entry with hash description
ae9bc0b4c5639d977d720e4271da06b50f7c60d1e2070e9c75cc59ab30e49379  sha256_sample1

# Entry without hash description
0289b0d967cb7b1fb1451339c7b9818a621903090e0020366ab415c549212521

# Invalid entries
7688499dc71b932feb126347289c0b8a_md5_sample2
7614e98badca10b5e2d08f8664c519b7a906fbd5180ea5d04a82fce9796a4b87sha256_sample3

    External resource entry limit

    The number of entries is globally limited to 200,000 and the file size is globally limited to 16 MB for all external resource entries. If Virtual Domains (VDOMs) are enabled, global entries are counted first, followed by VDOM entries in alphabetical order of VDOM names.

    When the maximum number of entries is exceeded, the most recently considered entries are truncated unless you manually reorder the entries using the move CLI command. For example:

    config system external-resource
    move "entry2" before "entry1"
end
    Previous
    Next