Fortinet white logo
Fortinet white logo

Administration Guide

External Connectors

External Connectors

You can use external connectors to connect your FortiProxy unit to public and private cloud solutions. By using an external connector, you can ensure that changes to cloud environment attributes are automatically updated in the Security Fabric. You can use external connector address objects to create policies that provide dynamic access control based on cloud environment attribute changes. There is no need to manually reconfigure addresses and policies whenever changes to the cloud environment occur.

There are four steps to creating and using an external connector:

  1. Gather the required information. The required information depends on which public or private cloud solution SDN connector you are configuring.

  2. Create the external connector.

  3. Create an external connector address.

  4. Add the address to a firewall policy.

The following provides general instructions for creating an external connector and using the dynamic address object in a firewall policy.

To create an SDN connector in the GUI:
  1. Go to Security Fabric > External Connectors.

  2. Click Create New.

  3. Click the desired public or private cloud.

  4. Enter the Name, Status, and Update interval for the connector.

  5. Enter the previously collected information for the connector as needed.

  6. Click OK.

To create an SDN connector in the CLI:
config system sdn-connector
    edit <name>
        set status {enable | disable}
        set type {connector type}
        ...
        set update-interval <integer>
    next
end

The available CLI commands vary depending on the selected SDN connector type.

External threat feeds

Threat feeds dynamically import an external block list from an HTTP server in the form of a plain text file, or from a STIX/TAXII server. Block lists can be used to enforce special security requirements, such as long term policies to always block access to certain websites, or short term requirements to block access to known compromised locations. The lists are dynamically imported, so that any changes are immediately imported by FortiProxy.

FortiProxy can also download external threat feeds as a downstream-proxy in an isolated environment, where the upstream-proxy only has internet access. All SWG functions, including SSL deep-inspection, are performed by the downstream proxy. FDS updates and management is done on the FortiManager.

You can define 511 thread feed entries using either the GUI or CLI.

To configure an external threat feed connector in the GUI:
  1. Go to Security Fabric > External Connectors and click Create New.

  2. In the Threat Feeds section, click one of the icons.

  3. Configure the settings as needed.

  4. Click OK.

To configure an external threat feed connector in the CLI:
config system external-resource
    edit <name>
        set status {enable | disable}
        set type {category | address | domain | malware | url}
        set category <integer>
        set username <string>
        set password <string>
        set comments <string>
        set resource <uri>
        set user-agent <string>
        set refresh-rate <integer>
        set source-ip <ip_address>
        set interface-select-method {auto | sdwan | specify}
        set interface <interface>
        set proxy <proxy_server> 
        set proxy-port <port>
        set proxy-username <username>
        set proxy-password <password>
        set server-identity-check {none | basic | full}
    next
end

status {enable | disable}

Enable/disable the user resource.

type {category | address | domain | malware | url}

User resource type:

  • category: FortiGuard category

  • address: Firewall IP address

  • domain: Domain name

  • malware: Malware hash

  • url: URL List

category <integer>

User resource category. This option is only available when type is category or domain.

username <string>

HTTP basic authentication user name.

password <string>

HTTP basic authentication password.

comments <string>

Comments.

*resource <uri>

URI of the external resource. Leading and tail strings are automatically removed.

user-agent <string>

HTTP User-Agent header (default = 'curl/7.58.0').

*refresh-rate <integer>

Time interval to refresh external resource, in minutes (1 - 43200, default = 5).

source-ip <ip_address>

Source IPv4 address used to communicate with server.

interface-select-method {auto | sdwan | specify}

Specify how to select outgoing interface to reach server:

  • auto: Set the outgoing interface automatically

  • sdwan: Set the outgoing interface by SD-WAN or policy routing rules

  • specify: Set the outgoing interface manually

interface <interface>

Specify outgoing interface to reach server. This option is only available when interface-select-method is specify.

proxy <proxy_server>

Proxy server host (IP or domain name).

proxy-port <port>

Port number that the proxy server expects to receive HTTP sessions on (1 - 65535, default = 8080).

proxy-username <username>

HTTP proxy basic authentication user name.

proxy-password <password>

HTTP proxy basic authentication password.

server-identity-check {none | basic | full}

Certificate verification option:

  • none: No certificate verification (default).
  • basic: Check server certificate only.
  • full: Check server certificate and domain match server certificate.

Malware hashes

The malware hash threat feed connector supports a list of file hashes that can be used as part of virus outbreak prevention. The FortiProxy unit can retrieve an external malware hash list from a remote server and poll the hash list every n minutes for updates. The external malware hash list can include MD5, SHA1, and SHA256 hashes.

Just like FortiGuard Outbreak Prevention, the external dynamic block list is not supported in AV quick scan mode.

Using different types of hash simultaneously can slow down the performance of malware scanning. For this reason, Fortinet recommends using only one type of hash on a list (MD5, SHA1, or SHA256), not all three simultaneously.

To create a malware hash connector in the GUI:
  1. Go to Security Fabric > External Connectors and click Create New.
  2. In the Threat Feeds section, click Malware Hash.
  3. Enter a name for the malware hash file.
  4. Enter the URI for the malware hash file.
  5. Click OK.
To create a malware hash connector in the CLI:
config system external-resource
    edit <external_resource_name>
        set type malware
        set resource <string>
    next
end

IP addresses

You can use the external block list (threat feed) for web filtering and DNS. You can also use external block list (threat feed) in firewall policies.

To create an external IP list object:

Create a plain text file with one IP address, IP address range, or subnet per line. For example:

192.168.2.100
172.200.1.4/16
172.16.1.2/24
172.16.8.1-172.16.8.100
2001:0db8::eade:27ff:fe04:9a01/120
2001:0db8::eade:27ff:fe04:aa01-2001:0db8::eade:27ff:fe04:ab01
To use an external IP list object in the GUI:
  1. Go to Security Fabric > External Connectors and click Create New.

  2. In the Threat Feeds section, click IP Address.

  3. In the URI of external resource field, enter the link to the external IP list object.

  4. Click OK.

To use an external IP list object in the CLI:
config system external-resource
    edit <external_resource_name>
        set type address
        set resource <string>
    next
end

External Connectors

External Connectors

You can use external connectors to connect your FortiProxy unit to public and private cloud solutions. By using an external connector, you can ensure that changes to cloud environment attributes are automatically updated in the Security Fabric. You can use external connector address objects to create policies that provide dynamic access control based on cloud environment attribute changes. There is no need to manually reconfigure addresses and policies whenever changes to the cloud environment occur.

There are four steps to creating and using an external connector:

  1. Gather the required information. The required information depends on which public or private cloud solution SDN connector you are configuring.

  2. Create the external connector.

  3. Create an external connector address.

  4. Add the address to a firewall policy.

The following provides general instructions for creating an external connector and using the dynamic address object in a firewall policy.

To create an SDN connector in the GUI:
  1. Go to Security Fabric > External Connectors.

  2. Click Create New.

  3. Click the desired public or private cloud.

  4. Enter the Name, Status, and Update interval for the connector.

  5. Enter the previously collected information for the connector as needed.

  6. Click OK.

To create an SDN connector in the CLI:
config system sdn-connector
    edit <name>
        set status {enable | disable}
        set type {connector type}
        ...
        set update-interval <integer>
    next
end

The available CLI commands vary depending on the selected SDN connector type.

External threat feeds

Threat feeds dynamically import an external block list from an HTTP server in the form of a plain text file, or from a STIX/TAXII server. Block lists can be used to enforce special security requirements, such as long term policies to always block access to certain websites, or short term requirements to block access to known compromised locations. The lists are dynamically imported, so that any changes are immediately imported by FortiProxy.

FortiProxy can also download external threat feeds as a downstream-proxy in an isolated environment, where the upstream-proxy only has internet access. All SWG functions, including SSL deep-inspection, are performed by the downstream proxy. FDS updates and management is done on the FortiManager.

You can define 511 thread feed entries using either the GUI or CLI.

To configure an external threat feed connector in the GUI:
  1. Go to Security Fabric > External Connectors and click Create New.

  2. In the Threat Feeds section, click one of the icons.

  3. Configure the settings as needed.

  4. Click OK.

To configure an external threat feed connector in the CLI:
config system external-resource
    edit <name>
        set status {enable | disable}
        set type {category | address | domain | malware | url}
        set category <integer>
        set username <string>
        set password <string>
        set comments <string>
        set resource <uri>
        set user-agent <string>
        set refresh-rate <integer>
        set source-ip <ip_address>
        set interface-select-method {auto | sdwan | specify}
        set interface <interface>
        set proxy <proxy_server> 
        set proxy-port <port>
        set proxy-username <username>
        set proxy-password <password>
        set server-identity-check {none | basic | full}
    next
end

status {enable | disable}

Enable/disable the user resource.

type {category | address | domain | malware | url}

User resource type:

  • category: FortiGuard category

  • address: Firewall IP address

  • domain: Domain name

  • malware: Malware hash

  • url: URL List

category <integer>

User resource category. This option is only available when type is category or domain.

username <string>

HTTP basic authentication user name.

password <string>

HTTP basic authentication password.

comments <string>

Comments.

*resource <uri>

URI of the external resource. Leading and tail strings are automatically removed.

user-agent <string>

HTTP User-Agent header (default = 'curl/7.58.0').

*refresh-rate <integer>

Time interval to refresh external resource, in minutes (1 - 43200, default = 5).

source-ip <ip_address>

Source IPv4 address used to communicate with server.

interface-select-method {auto | sdwan | specify}

Specify how to select outgoing interface to reach server:

  • auto: Set the outgoing interface automatically

  • sdwan: Set the outgoing interface by SD-WAN or policy routing rules

  • specify: Set the outgoing interface manually

interface <interface>

Specify outgoing interface to reach server. This option is only available when interface-select-method is specify.

proxy <proxy_server>

Proxy server host (IP or domain name).

proxy-port <port>

Port number that the proxy server expects to receive HTTP sessions on (1 - 65535, default = 8080).

proxy-username <username>

HTTP proxy basic authentication user name.

proxy-password <password>

HTTP proxy basic authentication password.

server-identity-check {none | basic | full}

Certificate verification option:

  • none: No certificate verification (default).
  • basic: Check server certificate only.
  • full: Check server certificate and domain match server certificate.

Malware hashes

The malware hash threat feed connector supports a list of file hashes that can be used as part of virus outbreak prevention. The FortiProxy unit can retrieve an external malware hash list from a remote server and poll the hash list every n minutes for updates. The external malware hash list can include MD5, SHA1, and SHA256 hashes.

Just like FortiGuard Outbreak Prevention, the external dynamic block list is not supported in AV quick scan mode.

Using different types of hash simultaneously can slow down the performance of malware scanning. For this reason, Fortinet recommends using only one type of hash on a list (MD5, SHA1, or SHA256), not all three simultaneously.

To create a malware hash connector in the GUI:
  1. Go to Security Fabric > External Connectors and click Create New.
  2. In the Threat Feeds section, click Malware Hash.
  3. Enter a name for the malware hash file.
  4. Enter the URI for the malware hash file.
  5. Click OK.
To create a malware hash connector in the CLI:
config system external-resource
    edit <external_resource_name>
        set type malware
        set resource <string>
    next
end

IP addresses

You can use the external block list (threat feed) for web filtering and DNS. You can also use external block list (threat feed) in firewall policies.

To create an external IP list object:

Create a plain text file with one IP address, IP address range, or subnet per line. For example:

192.168.2.100
172.200.1.4/16
172.16.1.2/24
172.16.8.1-172.16.8.100
2001:0db8::eade:27ff:fe04:9a01/120
2001:0db8::eade:27ff:fe04:aa01-2001:0db8::eade:27ff:fe04:ab01
To use an external IP list object in the GUI:
  1. Go to Security Fabric > External Connectors and click Create New.

  2. In the Threat Feeds section, click IP Address.

  3. In the URI of external resource field, enter the link to the external IP list object.

  4. Click OK.

To use an external IP list object in the CLI:
config system external-resource
    edit <external_resource_name>
        set type address
        set resource <string>
    next
end