Skip to main content
anoushiravan
Staff
anoushiravan
Staff
September 30, 2022

Technical Tip: How to block the web access using the external resources on FortiGate

  • September 30, 2022
  • 0 replies
  • 5148 views
Description This article describes how to block the web access by creating a block list of URLs or IP addresses on remote HTTP or HTTPS server (external resources) on FortiGate.
Scope FortiGate, DNS filter profiles that use external IP block lists to block DNS requests to certain IP addresses. 
Solution

The external resource in remote HTTP/HTTPS server must meet the following conditions:

  • The external resource file will be a plaintext format file, and each URL will be in a single line.
  • Each line can be an IP address or a subnet.
  • The file is limited to 10M.
  • The maximum number of lines is limited to 128K (128 x 1024 entries).
  • The line length limit is 4K characters.
  • The entries are also limited by the table size limitation defined by CMDB per model.

 

Example configuration via CLI:

 

config system external-resource
    edit "External-resource-files"
        set type address
        set resource "http://10.104.3.130/resources/urls"
        set refresh-rate 2
    next
end

 

Note: FortiGate will connect to the remote HTTP server every 2 minutes (set refresh-rate 2) for automatic updates. The default value of refresh-rate is 5 minutes but the value can be set between 1 and 43200. 

 

config dnsfilter profile
    edit "default"
        set external-ip-blocklist "External-resource-files"
    next
end


In order to see the external resource database on FortiGate, run the below command via CLI:

 

FortiGate # fnsysctl ls -l /var/log/external/

-rw-r--r-- 1 0 0 Mon Apr 25 04:15:19 2022 15762 ext-root.External-resource-files
-rw-r--r-- 1 0 0 Mon Apr 25 04:15:19 2022 33 ext-root.External-resource-files.csum
-rw-r--r-- 1 0 0 Mon Apr 25 04:15:19 2022 35 ext-root.External-resource-files.etag

 

Note: In an HA cluster, the external resource database is getting synced between slave units. An HA log message appears that states that the HA members are out-of-sync due to 'external-files'. This log will be generated when FortiGate starts to get the latest URL or IP list from the remote HTTP or HTTPS server:

 

date=2022-04-25 time=04:15:41 id=7090343938808087133 itime="2022-04-25 04:15:43" euid=3 epid=3 dsteuid=3 dstepid=3 logver=700020234 logid=0108037903 type="event" subtype="ha" level="information" msg="The sync status with the primary" logdesc="Synchronization status with primary" sync_type="external-files" sync_status="out-of-sync" eventtime=1650849342264133363 tz="+0300" devid="FG1K5DT365987569" vd="root" dtime="2022-04-25 04:15:41" itime_t=1650849343 devname="FW1"


Related documents:
External resources for web filter - FortiGate cookbook

Troubleshooting Tip: The external resource contains more entries than is supported
    Terms & ConditionsAccessibility statement