Fortinet black logo

Administration Guide

Allowlist and blocklist (white/black lists)

Copy Link
Copy Doc ID af12b5b0-1c45-11ea-9384-00505692583a:424543
Download PDF

Allowlist and blocklist (white/black lists)

Allowlists and blocklists (white and black lists) help improve scan performance and malware catch rate as well as reduce false positives and can be appended to, replaced, cleared, deleted, and downloaded. These lists contain file checksum values (MD5, SHA1, or SHA256) and domain/URLs. Domain and URL lists are used in both file and URL scanning. For files, the file's downloading URL is checked against the list. Wild Card formats, like *.domain, are supported. For example, when the user adds windowsupdate.microsoft.com to the White Domain List, all files downloaded from this domain will be rated as Clean files immediately. If the user adds *.microsoft.com to the White Domain List, all files downloaded from sub-domains of microsoft.com will be rated as Clean immediately.

For URLs, you can add a raw URL or a regular expression pattern to the list. For example, if the user adds .*amazon.com/.*subscribe to the allowlist, all subscription URLs from amazon.com will be immediately rated as Clean. This way, subscription links will not be opened inside the VM and become invalid.

  • If an allowlist entry is hit, the job rating will be Clean with a local overwrite flag.
  • If a blocklist entry is hit, the job rating will be Malicious with a local overwrite flag. Malware names will be FSA/BL_DOMAIN, FSA/BL_MD5, FSA/BL_SHA1, or FSA/BL_SHA256.
  • If the same entry exists on both lists and is hit, the blocklist will take priority and the file will be rated Malicious.

To manage the allow/block list manually:
  1. Go to Scan Policy > White/Black List.
  2. Click the White List or Black List panel and the Detail panel will slide out from the right side.
  3. Click the head of each type to expand or collapse the list.
  4. Click the + button to add a new entry.
    caution icon

    The URL pattern will have a higher rating priority than a domain pattern. For example, if you enter *.microsoft.com in a domain allowlist and http://www.microsoft.com/*abc/bad.html in a URL blocklist, a file from http://www.microsoft.com/1abc/bad.html will be rated as Malicious.

    Alternatively, click the Trash button to either remove the whole list or remove a single entry.

  5. Click outside the Detail panel to accept the change.
To manage the allow/block list through files:
  1. Go to Scan Policy > White/Black List.
  2. Click the File Upload icon for either the White List or Black List.
  3. Select the list type from the dropdown menu:
    • Domain
    • MD5
    • SHA1
    • SHA256
    • URL
    • URL REGEX
  4. Select the Action to take from the dropdown menu:
    • Append: Add checksums to the list.
    • Replace: Replace the list.
    • Clear: Remove the list.
    • Download: Download the list to the management computer.
    • Delete: Delete an entry from the list if the entry is in the uploaded file.
  5. If the action is Download, click OK to download the list file to the management computer.
  6. If the action is Append or Replace, click Choose File, locate the checksum file on the management computer, then click OK.
  7. If the action is Clear, click OK to remove the list.

In a cluster setting, allowlists and blocklists should only be created on the primary (master) node. They will be synchronized with other nodes.

The total number of URL REGEXs in allowlists and blocklists should be less than 1000. The total number of domains plus URLs in allowlists and blocklists should be less than 50000.

Allowlist and blocklist (white/black lists)

Allowlists and blocklists (white and black lists) help improve scan performance and malware catch rate as well as reduce false positives and can be appended to, replaced, cleared, deleted, and downloaded. These lists contain file checksum values (MD5, SHA1, or SHA256) and domain/URLs. Domain and URL lists are used in both file and URL scanning. For files, the file's downloading URL is checked against the list. Wild Card formats, like *.domain, are supported. For example, when the user adds windowsupdate.microsoft.com to the White Domain List, all files downloaded from this domain will be rated as Clean files immediately. If the user adds *.microsoft.com to the White Domain List, all files downloaded from sub-domains of microsoft.com will be rated as Clean immediately.

For URLs, you can add a raw URL or a regular expression pattern to the list. For example, if the user adds .*amazon.com/.*subscribe to the allowlist, all subscription URLs from amazon.com will be immediately rated as Clean. This way, subscription links will not be opened inside the VM and become invalid.

  • If an allowlist entry is hit, the job rating will be Clean with a local overwrite flag.
  • If a blocklist entry is hit, the job rating will be Malicious with a local overwrite flag. Malware names will be FSA/BL_DOMAIN, FSA/BL_MD5, FSA/BL_SHA1, or FSA/BL_SHA256.
  • If the same entry exists on both lists and is hit, the blocklist will take priority and the file will be rated Malicious.

To manage the allow/block list manually:
  1. Go to Scan Policy > White/Black List.
  2. Click the White List or Black List panel and the Detail panel will slide out from the right side.
  3. Click the head of each type to expand or collapse the list.
  4. Click the + button to add a new entry.
    caution icon

    The URL pattern will have a higher rating priority than a domain pattern. For example, if you enter *.microsoft.com in a domain allowlist and http://www.microsoft.com/*abc/bad.html in a URL blocklist, a file from http://www.microsoft.com/1abc/bad.html will be rated as Malicious.

    Alternatively, click the Trash button to either remove the whole list or remove a single entry.

  5. Click outside the Detail panel to accept the change.
To manage the allow/block list through files:
  1. Go to Scan Policy > White/Black List.
  2. Click the File Upload icon for either the White List or Black List.
  3. Select the list type from the dropdown menu:
    • Domain
    • MD5
    • SHA1
    • SHA256
    • URL
    • URL REGEX
  4. Select the Action to take from the dropdown menu:
    • Append: Add checksums to the list.
    • Replace: Replace the list.
    • Clear: Remove the list.
    • Download: Download the list to the management computer.
    • Delete: Delete an entry from the list if the entry is in the uploaded file.
  5. If the action is Download, click OK to download the list file to the management computer.
  6. If the action is Append or Replace, click Choose File, locate the checksum file on the management computer, then click OK.
  7. If the action is Clear, click OK to remove the list.

In a cluster setting, allowlists and blocklists should only be created on the primary (master) node. They will be synchronized with other nodes.

The total number of URL REGEXs in allowlists and blocklists should be less than 1000. The total number of domains plus URLs in allowlists and blocklists should be less than 50000.