Fortinet white logo
Fortinet white logo

Administration Guide

Threat feeds

Threat feeds

The FortiGate dynamically imports an external list from an HTTP/HTTPS server in the form of a plain text file. The imported list is then available as a threat feed, which can be used to enforce special security requirements, such as long-term policies to always allow or block access to certain websites, or short-term requirements to block access to known compromised locations. The threat feeds are dynamically synchronized and are updated periodically so that any changes are immediately imported by FortiOS.

Note

If the FortiGate loses connectivity with the external server, the threat feed will continue to function despite the Connection Status error or reboot. However, the threat feed will not be updated and no new entries will be added until the connection is re-established.

FortiOS also supports STIX/TAXII format. See STIX format for external threat feeds for more information.

There are five types of threat feeds:

FortiGuard Category

The FortiGate dynamically imports a text file from an external server, which contains one URL per line. See FortiGuard category threat feed for more information.

IP Address

The FortiGate dynamically imports a text file from an external server, which contains one IP/IP range/subnet per line. See IP address threat feed for more information.

Domain Name

The FortiGate dynamically imports a text file from an external server, which contains one domain per line. Simple wildcards are supported. See Domain name threat feed for more information.

MAC Address

The FortiGate dynamically imports a text file from an external server, which contains one MAC address, MAC range, or MAC OUI per line. See MAC address threat feed for more information.

Malware Hash

The FortiGate dynamically imports a text file from an external server, which contains one hash per line in the format <hex hash> [optional hash description]. Each line supports MD5, SHA1, and SHA256 hex hashes. See Malware hash threat feed for more information.

Additionally, the EMS threat feed is integrated with FortiClient EMS, but it is not configured in the same way as the preceding feeds:

EMS Threat Feed

A FortiGate can pull malware threat feeds from FortiClient EMS, which in turn receives malware hashes detected by FortiClients. The malware hash can be used in an antivirus profile when AV scanning is enabled with block or monitor actions. See Malware threat feed from EMS for an example.

FortiManager can host threat feeds. See External resources in the FortiManager Administration Guide.

External resources file format

File format requirements for a HTTP/HTTPS external resources file:

  • The file is in plain text format with each URL list, IP address, domain name, or malware hash occupying one line.

    Comments can be added by using the number sign, for example: # This is a test.

  • The file is limited to a maximum size of 10 MB and can hold up to 131072 entries, whichever limit is hit first.

  • The entry limit also follows the table size limitation defined by CMDB per model.

  • The external resources update period can be set to 1 minute, hourly, daily, weekly, or monthly (43200 min, 30 days).

  • The external resources type as category (URL list) and domain (domain name list) share the category number range 192 to 221 (total of 30 categories).

  • There is no duplicated entry validation for the external resources file (entry inside each file or inside different files).

  • If the number of entries exceed the limit, a warning is displayed. Additional entries beyond the threshold will not be loaded.

For URL list (type = category):

  • The scheme is optional, and will be truncated if found; https:// and http:// are not required.

  • Wildcards are allowed at the beginning or end or the URL, for example: *.domain.com or domain.com.*.

  • IDN and UTF encoding URL are supported .

  • The URL can be an IPv4 or IPv6 address. An IPv6 URL must be in [ ] format.

For IP address list (type = address):

  • The IP address can be a single IP address, subnet address, or address range. For example, 192.168.1.1, 192.168.10.0/24, or 192.168.100.1-192.168.100.254.

  • The address can be an IPv4 or IPv6 address. An IPv6 address does not need to be in [ ] format.

For domain name list (type = domain):

  • Simple wildcards are allowed in the domain name list, for example: *.test.com.

  • IDN (international domain name) is supported.

For MAC address list (type = mac-address):

  • The MAC address can be a single MAC address, MAC OUI, or MAC range. For example, 01:01:01:01:01:01, 8c:aa:b5, or 01:01:01:01:01:01-01:01:02:50:20:ff.

  • The hexadecimal digits in MAC address must only be separated by colons.

For malware hash list (type = malware):

  • The malware hash list follows a strict format in order for its contents to be valid. Malware hash signature entries must be separated into each line. A valid signature must follow this format:

    # MD5 Entry with hash description
    aa67243f746e5d76f68ec809355ec234  md5_sample1
    
    # SHA1 Entry with hash description
    a57983cb39e25ab80d7d3dc05695dd0ee0e49766  sha1_sample2
    
    # SHA256 Entry with hash description
    ae9bc0b4c5639d977d720e4271da06b50f7c60d1e2070e9c75cc59ab30e49379  sha256_sample1
    
    # Entry without hash description
    0289b0d967cb7b1fb1451339c7b9818a621903090e0020366ab415c549212521
    
    # Invalid entries
    7688499dc71b932feb126347289c0b8a_md5_sample2
    7614e98badca10b5e2d08f8664c519b7a906fbd5180ea5d04a82fce9796a4b87sha256_sample3
To determine the external resource table size limit for your device:
# print tablesize
...
system.external-resource: 0 256 512
...

In this example, a FortiGate 60E has a global limit of 512 and a per-VDOM limit of 256. A FortiGate 60E can configure up to 512 feeds. Each feed is limited to a maximum size of 10 MB or 131072 entries, whichever is reached first. The total number of feeds is limited by the available memory on the device.

Related Videos

sidebar video

FortiSIEM and FortiGate Threat Feed Integration

  • 2,189 views
  • 2 years ago

More Links

Threat feeds

Threat feeds

The FortiGate dynamically imports an external list from an HTTP/HTTPS server in the form of a plain text file. The imported list is then available as a threat feed, which can be used to enforce special security requirements, such as long-term policies to always allow or block access to certain websites, or short-term requirements to block access to known compromised locations. The threat feeds are dynamically synchronized and are updated periodically so that any changes are immediately imported by FortiOS.

Note

If the FortiGate loses connectivity with the external server, the threat feed will continue to function despite the Connection Status error or reboot. However, the threat feed will not be updated and no new entries will be added until the connection is re-established.

FortiOS also supports STIX/TAXII format. See STIX format for external threat feeds for more information.

There are five types of threat feeds:

FortiGuard Category

The FortiGate dynamically imports a text file from an external server, which contains one URL per line. See FortiGuard category threat feed for more information.

IP Address

The FortiGate dynamically imports a text file from an external server, which contains one IP/IP range/subnet per line. See IP address threat feed for more information.

Domain Name

The FortiGate dynamically imports a text file from an external server, which contains one domain per line. Simple wildcards are supported. See Domain name threat feed for more information.

MAC Address

The FortiGate dynamically imports a text file from an external server, which contains one MAC address, MAC range, or MAC OUI per line. See MAC address threat feed for more information.

Malware Hash

The FortiGate dynamically imports a text file from an external server, which contains one hash per line in the format <hex hash> [optional hash description]. Each line supports MD5, SHA1, and SHA256 hex hashes. See Malware hash threat feed for more information.

Additionally, the EMS threat feed is integrated with FortiClient EMS, but it is not configured in the same way as the preceding feeds:

EMS Threat Feed

A FortiGate can pull malware threat feeds from FortiClient EMS, which in turn receives malware hashes detected by FortiClients. The malware hash can be used in an antivirus profile when AV scanning is enabled with block or monitor actions. See Malware threat feed from EMS for an example.

FortiManager can host threat feeds. See External resources in the FortiManager Administration Guide.

External resources file format

File format requirements for a HTTP/HTTPS external resources file:

  • The file is in plain text format with each URL list, IP address, domain name, or malware hash occupying one line.

    Comments can be added by using the number sign, for example: # This is a test.

  • The file is limited to a maximum size of 10 MB and can hold up to 131072 entries, whichever limit is hit first.

  • The entry limit also follows the table size limitation defined by CMDB per model.

  • The external resources update period can be set to 1 minute, hourly, daily, weekly, or monthly (43200 min, 30 days).

  • The external resources type as category (URL list) and domain (domain name list) share the category number range 192 to 221 (total of 30 categories).

  • There is no duplicated entry validation for the external resources file (entry inside each file or inside different files).

  • If the number of entries exceed the limit, a warning is displayed. Additional entries beyond the threshold will not be loaded.

For URL list (type = category):

  • The scheme is optional, and will be truncated if found; https:// and http:// are not required.

  • Wildcards are allowed at the beginning or end or the URL, for example: *.domain.com or domain.com.*.

  • IDN and UTF encoding URL are supported .

  • The URL can be an IPv4 or IPv6 address. An IPv6 URL must be in [ ] format.

For IP address list (type = address):

  • The IP address can be a single IP address, subnet address, or address range. For example, 192.168.1.1, 192.168.10.0/24, or 192.168.100.1-192.168.100.254.

  • The address can be an IPv4 or IPv6 address. An IPv6 address does not need to be in [ ] format.

For domain name list (type = domain):

  • Simple wildcards are allowed in the domain name list, for example: *.test.com.

  • IDN (international domain name) is supported.

For MAC address list (type = mac-address):

  • The MAC address can be a single MAC address, MAC OUI, or MAC range. For example, 01:01:01:01:01:01, 8c:aa:b5, or 01:01:01:01:01:01-01:01:02:50:20:ff.

  • The hexadecimal digits in MAC address must only be separated by colons.

For malware hash list (type = malware):

  • The malware hash list follows a strict format in order for its contents to be valid. Malware hash signature entries must be separated into each line. A valid signature must follow this format:

    # MD5 Entry with hash description
    aa67243f746e5d76f68ec809355ec234  md5_sample1
    
    # SHA1 Entry with hash description
    a57983cb39e25ab80d7d3dc05695dd0ee0e49766  sha1_sample2
    
    # SHA256 Entry with hash description
    ae9bc0b4c5639d977d720e4271da06b50f7c60d1e2070e9c75cc59ab30e49379  sha256_sample1
    
    # Entry without hash description
    0289b0d967cb7b1fb1451339c7b9818a621903090e0020366ab415c549212521
    
    # Invalid entries
    7688499dc71b932feb126347289c0b8a_md5_sample2
    7614e98badca10b5e2d08f8664c519b7a906fbd5180ea5d04a82fce9796a4b87sha256_sample3
To determine the external resource table size limit for your device:
# print tablesize
...
system.external-resource: 0 256 512
...

In this example, a FortiGate 60E has a global limit of 512 and a per-VDOM limit of 256. A FortiGate 60E can configure up to 512 feeds. Each feed is limited to a maximum size of 10 MB or 131072 entries, whichever is reached first. The total number of feeds is limited by the available memory on the device.