Fortinet black logo

Administration Guide

Allowlist and blocklist (white/black lists)

Copy Link
Copy Doc ID a5cce35c-eec7-11ea-96b9-00505692583a:424543
Download PDF

Allowlist and blocklist (white/black lists)

Allowlists and blocklists (white and black lists) help improve scan performance and malware catch rate as well as reduce false positives and can be appended to, replaced, cleared, deleted, and downloaded. These lists contain file checksum values (MD5, SHA1, or SHA256) and domain/URL/URL REGEXs. Domain/URL/URL REGEX lists are used in both file and URL scanning. For files, the file's downloading URL is checked against the list. Wild Card formats, like *.domain, are supported. For example, when the user adds windowsupdate.microsoft.com to the White Domain List, all files downloaded from this domain will be rated as Clean files immediately. If the user adds *.microsoft.com to the White Domain List, all files downloaded from sub-domains of microsoft.com will be rated as Clean immediately.

For URLs, you can add a raw URL or a regular expression pattern to the list. For example, if the user adds .*amazon.com/.*subscribe to the allow list, all subscription URLs from amazon.com will be immediately rated as Clean. This way, subscription links will not be opened inside the VM and become invalid.

  • If an allowlist entry is hit, the job rating will be Clean with a local overwrite flag.
  • If a blocklist entry is hit, the job rating will be Malicious with a local overwrite flag. Malware names will be FSA/BL_DOMAIN, FSA/BL_URL, FSA/BL_MD5, FSA/BL_SHA1, or FSA/BL_SHA256.
  • If the same entry exists on both lists and is hit, the blocklist will take priority and the file will be rated Malicious.

To manage the allow/block list manually:
  1. Go to Scan Policy > White/Black List.
  2. Click the menu icon beside White Lists or Black Lists to see its menu items.
  3. Click the + button to add a new entry.
    caution icon

    The URL pattern has a higher rating priority than a domain pattern. For example, if you enter *.microsoft.com in a domain allow list and http://www.microsoft.com/*abc/bad.html in a URL blocklist, a file from http://www.microsoft.com/1abc/bad.html will be rated as Malicious.

  4. Click OK.
To manage the allow/block list through files:
  1. Go to Scan Policy > White/Black List.
  2. Beside White Lists or Black Lists, click the menu icon and select the Manage lists by uploading files icon.
  3. Select the list type from the dropdown menu:
    • MD5
    • SHA1
    • SHA256
    • Domain
    • URL
    • URL REGEX
  4. Select the Action from the dropdown menu:
    • Append: Add checksums to the list.
    • Replace: Replace the list.
    • Clear: Remove the list.
    • Download: Download the list to the management computer.
    • Delete: Delete an entry from the list if the entry is in the uploaded file.
  5. If the action is Download, click OK to download the list file to the management computer.
  6. If the action is Append or Replace, click Choose File, locate the checksum file on the management computer, then click OK.
  7. If the action is Clear, click OK to remove the list.

In a cluster setting, create allowlists/blocklists on the primary (master) node. Lists are synchronized with other nodes.

The total number of URL REGEXs in allowlists/blocklists must be less than 1000.

The total number of domains plus URLs in allowlist/blocklist must be less than 50000.

The total number of MD5+SHA1+SHA256 in allowlist/blocklist must be less than 50000.

Allowlist and blocklist (white/black lists)

Allowlists and blocklists (white and black lists) help improve scan performance and malware catch rate as well as reduce false positives and can be appended to, replaced, cleared, deleted, and downloaded. These lists contain file checksum values (MD5, SHA1, or SHA256) and domain/URL/URL REGEXs. Domain/URL/URL REGEX lists are used in both file and URL scanning. For files, the file's downloading URL is checked against the list. Wild Card formats, like *.domain, are supported. For example, when the user adds windowsupdate.microsoft.com to the White Domain List, all files downloaded from this domain will be rated as Clean files immediately. If the user adds *.microsoft.com to the White Domain List, all files downloaded from sub-domains of microsoft.com will be rated as Clean immediately.

For URLs, you can add a raw URL or a regular expression pattern to the list. For example, if the user adds .*amazon.com/.*subscribe to the allow list, all subscription URLs from amazon.com will be immediately rated as Clean. This way, subscription links will not be opened inside the VM and become invalid.

  • If an allowlist entry is hit, the job rating will be Clean with a local overwrite flag.
  • If a blocklist entry is hit, the job rating will be Malicious with a local overwrite flag. Malware names will be FSA/BL_DOMAIN, FSA/BL_URL, FSA/BL_MD5, FSA/BL_SHA1, or FSA/BL_SHA256.
  • If the same entry exists on both lists and is hit, the blocklist will take priority and the file will be rated Malicious.

To manage the allow/block list manually:
  1. Go to Scan Policy > White/Black List.
  2. Click the menu icon beside White Lists or Black Lists to see its menu items.
  3. Click the + button to add a new entry.
    caution icon

    The URL pattern has a higher rating priority than a domain pattern. For example, if you enter *.microsoft.com in a domain allow list and http://www.microsoft.com/*abc/bad.html in a URL blocklist, a file from http://www.microsoft.com/1abc/bad.html will be rated as Malicious.

  4. Click OK.
To manage the allow/block list through files:
  1. Go to Scan Policy > White/Black List.
  2. Beside White Lists or Black Lists, click the menu icon and select the Manage lists by uploading files icon.
  3. Select the list type from the dropdown menu:
    • MD5
    • SHA1
    • SHA256
    • Domain
    • URL
    • URL REGEX
  4. Select the Action from the dropdown menu:
    • Append: Add checksums to the list.
    • Replace: Replace the list.
    • Clear: Remove the list.
    • Download: Download the list to the management computer.
    • Delete: Delete an entry from the list if the entry is in the uploaded file.
  5. If the action is Download, click OK to download the list file to the management computer.
  6. If the action is Append or Replace, click Choose File, locate the checksum file on the management computer, then click OK.
  7. If the action is Clear, click OK to remove the list.

In a cluster setting, create allowlists/blocklists on the primary (master) node. Lists are synchronized with other nodes.

The total number of URL REGEXs in allowlists/blocklists must be less than 1000.

The total number of domains plus URLs in allowlist/blocklist must be less than 50000.

The total number of MD5+SHA1+SHA256 in allowlist/blocklist must be less than 50000.