Fortinet Fortigate Threat Feed Connector

Quelle: Fortinet

Threat Feed Connectors

This feature introduces the ability to dynamically import external block list text files from an HTTP server. The text files can contain IP addresses and domain names. These dynamic block lists are called ‚Threat Feeds‘. You can block access to the addresses in the text files by adding one or more threat feeds to:

  • DNS Filter profiles (using Domain Name and IP Address threat feeds)
  • Web Filter profiles and SSL inspection exemptions (using FortiGuard Category threat feeds)
  • Proxy policies (using IP Address threat feeds)
  • AntiVirus profiles (using Malware Hash threat feeds)

FortiOS keeps threat feeds up to date by dynamically re-downloading them from the HTTP server according to the refresh rate.

Threat Feeds can be configured under Security Fabric > Fabric Connectorsby creating new Threat Feeds.

The New Fabric Connector edit page provides the following fields:

  • Name – The name you want to assign to the feed. The usage of the name in the interface depends on the category of threat feed you select:
  • Domain Name – The Name will appear as an „Remote Category“ in DNS Filter profiles.
  • FortiGuard Category – The Name will appear as a „Remote Category“ in Web Filter profiles and SSL inspection exemptions.
  • IP Address – The Name will appear as an „External IP Block List“ in DNS Filter profiles and as a „Source/Destination“ in IPv4, IPv6, and Proxy policies.
  • Malware Hash – The Name will be automatically used for Virus Outbreak Prevention on AntiVirus Profiles where „External Malware Block List“ is enabled.
  • URI of external resource – The link to an external resource file. The file should be a plain text file with one domain each line and supports simple wildcard.
  • HTTP basic authentication – The username and password for external authentication on the threat feed’s URI. This can be disabled if the feed does not require authentication.
  • Refresh Rate – The time interval to refresh external resource (1 – 43200 minutes).
  • The size of the file can be 10 MB, or 128,000 lines of text, whichever is most restrictive.

The domain resource is a text file which contains a domain name for each line and supports simple wildcard. For example:

mail.*.or.th
*-special.de.vu
http://www.*de.vu
610-pawn.com
aaliyah-hq-gallery.de.vu
abcgolocal.com

The address resource is a text file which contains an IP/IP range for each line (note that only IPv4 is supported in DNS profiles, so IPv6 addresses will be ignored). For example:

1.1.1.1
10.0.0.70
2.1.1.1
100.0.0.1-100.0.0.100
10.0.0.99-10.0.0.201
1.2.2.2/24

FortiOS configuration

config system external-resource
   edit <name>
      set type {category | address | domain}
      set category <value>
      set comments [comments]
      set resource <resource-url>
      set refresh-rate <minutes>
      set last-update <datetime>
   next
end