Fortinet black logo

Administration Guide

Allowlist and blocklist

Copy Link
Copy Doc ID 4f5a6250-a945-11ec-9fd1-fa163e15d75b:424543
Download PDF

Allowlist and blocklist

Allowlist and blocklist help improve scan performance and malware catch rate as well as reduce false positives and can be appended to, replaced, cleared, deleted, and downloaded. These lists contain file checksum values (MD5, SHA1, or SHA256) and domain/URL/URL REGEXs. Domain/URL/URL REGEX lists are used in both file and URL scanning. For files, the file's downloading URL is checked against the list. Wild Card formats, like *.domain, are supported. For example, when the user adds windowsupdate.microsoft.com to the Allow Domain List, all files downloaded from this domain will be rated as Clean files immediately. If the user adds *.microsoft.com to the Allow Domain List, all files downloaded from sub-domains of microsoft.com will be rated as Clean immediately.

For URLs, you can add a raw URL or a regular expression pattern to the list. For example, if the user adds .*amazon.com/.*subscribe to the allowlist, all subscription URLs from amazon.com will be immediately rated as Clean. This way, subscription links will not be opened inside the VM and become invalid.

  • If an allowlist entry is hit, the job rating will be Clean with a local overwrite flag.
  • If a blocklist entry is hit, the job rating will be Malicious with a local overwrite flag. Malware names will be FSA/BL_DOMAIN, FSA/BL_URL, FSA/BL_MD5, FSA/BL_SHA1, or FSA/BL_SHA256.
  • If the same entry exists on both lists and is hit, the blocklist will take priority and the file will be rated Malicious.
To manage the allowlist and blocklist manually:
  1. Go to Scan Policy and Object > Allowlist/Blocklist.
  2. Click the menu icon beside Allowlists or Blocklists to see its menu items.
  3. Click the + button to add a new entry.
    caution icon

    The URL pattern has a higher rating priority than a domain pattern. For example, if you enter *.microsoft.com in a domain allowlist and http://www.microsoft.com/*abc/bad.html in a URL blocklist, a file from http://www.microsoft.com/1abc/bad.html will be rated as Malicious.

  4. Click OK.
To manage the allowlist and blocklist through files:
  1. Go to Scan Policy and Object > Allowlist/Blocklist.
  2. Beside Allowlists or Blocklists, click the menu icon and select the Manage lists by uploading files icon.
  3. Select the list type from the dropdown menu:
    • MD5
    • SHA1
    • SHA256
    • Domain
    • URL
    • URL REGEX
  4. Select the Action from the dropdown menu:
    • Append: Add checksums to the list.
    • Replace: Replace the list.
    • Clear: Remove the list.
    • Download: Download the list to the management computer.
    • Delete: Delete an entry from the list if the entry is in the uploaded file.
  5. If the action is Download, click OK to download the list file to the management computer.
  6. If the action is Append or Replace, click Choose File, locate the checksum file on the management computer, then click OK.
  7. If the action is Clear, click OK to remove the list.

In a cluster setting, create allowlist and blocklist on the primary node. Lists are synchronized with other nodes.

The total number of URL REGEXs in allowlist and blocklist must be less than 1000.

The total number of domains plus URLs in allowlist and blocklist must be less than 50000.

The total number of MD5+SHA1+SHA256 in allowlist and blocklist must be less than 50000.

Allowlist and blocklist

Allowlist and blocklist help improve scan performance and malware catch rate as well as reduce false positives and can be appended to, replaced, cleared, deleted, and downloaded. These lists contain file checksum values (MD5, SHA1, or SHA256) and domain/URL/URL REGEXs. Domain/URL/URL REGEX lists are used in both file and URL scanning. For files, the file's downloading URL is checked against the list. Wild Card formats, like *.domain, are supported. For example, when the user adds windowsupdate.microsoft.com to the Allow Domain List, all files downloaded from this domain will be rated as Clean files immediately. If the user adds *.microsoft.com to the Allow Domain List, all files downloaded from sub-domains of microsoft.com will be rated as Clean immediately.

For URLs, you can add a raw URL or a regular expression pattern to the list. For example, if the user adds .*amazon.com/.*subscribe to the allowlist, all subscription URLs from amazon.com will be immediately rated as Clean. This way, subscription links will not be opened inside the VM and become invalid.

  • If an allowlist entry is hit, the job rating will be Clean with a local overwrite flag.
  • If a blocklist entry is hit, the job rating will be Malicious with a local overwrite flag. Malware names will be FSA/BL_DOMAIN, FSA/BL_URL, FSA/BL_MD5, FSA/BL_SHA1, or FSA/BL_SHA256.
  • If the same entry exists on both lists and is hit, the blocklist will take priority and the file will be rated Malicious.
To manage the allowlist and blocklist manually:
  1. Go to Scan Policy and Object > Allowlist/Blocklist.
  2. Click the menu icon beside Allowlists or Blocklists to see its menu items.
  3. Click the + button to add a new entry.
    caution icon

    The URL pattern has a higher rating priority than a domain pattern. For example, if you enter *.microsoft.com in a domain allowlist and http://www.microsoft.com/*abc/bad.html in a URL blocklist, a file from http://www.microsoft.com/1abc/bad.html will be rated as Malicious.

  4. Click OK.
To manage the allowlist and blocklist through files:
  1. Go to Scan Policy and Object > Allowlist/Blocklist.
  2. Beside Allowlists or Blocklists, click the menu icon and select the Manage lists by uploading files icon.
  3. Select the list type from the dropdown menu:
    • MD5
    • SHA1
    • SHA256
    • Domain
    • URL
    • URL REGEX
  4. Select the Action from the dropdown menu:
    • Append: Add checksums to the list.
    • Replace: Replace the list.
    • Clear: Remove the list.
    • Download: Download the list to the management computer.
    • Delete: Delete an entry from the list if the entry is in the uploaded file.
  5. If the action is Download, click OK to download the list file to the management computer.
  6. If the action is Append or Replace, click Choose File, locate the checksum file on the management computer, then click OK.
  7. If the action is Clear, click OK to remove the list.

In a cluster setting, create allowlist and blocklist on the primary node. Lists are synchronized with other nodes.

The total number of URL REGEXs in allowlist and blocklist must be less than 1000.

The total number of domains plus URLs in allowlist and blocklist must be less than 50000.

The total number of MD5+SHA1+SHA256 in allowlist and blocklist must be less than 50000.