| Description |
This article describes how to configure the FortiGate with an External Connector using the STIX/TAXII protocol. AlienVault (aka Alien Labs Open Threat Exchange) is the threat-feed provider used in this article as an example, and so the steps provided are tailored for this particular provider.
Readers should keep in mind that the general setup process is still applicable for all STIX/TAXII connector configurations on the FortiGate, even if the exact setup steps (particularly regarding HTTP authentication) vary with other threat-feed providers.
For guidance on troubleshooting issues with STIX/TAXII external connectors on the FortiGate after they are created, see the following Community Knowledge Base article:
|
| Scope |
FortiGat v7.0.2 and later.
|
| Solution |
1) Threat-feed providers often require users to authenticate before connecting to the threat-feed, so it is important to know how the provider handles authentication before proceeding with setup.
- AlienVault's recommended method for long-term authentication is to use the user's OTX API key. Users can find their OTX key at the following link, along with API documentation from AlienVault: https://otx.alienvault.com/api
2) After obtaining the OTX API key, the next step is obtaining the TAXII threat-feed URL (also called 'pulses' by AlienVault). In this example, the 'Phishing domain names' pulse will be used as the threat-feed source: https://otx.alienvault.com/pulse/5ee7247cdb3820b358b37a71
- Each AlienVault pulse will include a download dropdown menu that lists the available data formats. In this case, select and copy the 'STIX 2.0' or 'STIX 2.1' links (STIX 1.1 is not supported by the FortiGate's TAXII implementation).
3) AlienVault threat-feed links must be modified before installing to the FortiGate. The following demonstrates the STIX v2.0 URL before and after modification.
Before: https://otx.alienvault.com/otxapi/pulses/5ee7247cdb3820b358b37a71/export/?token=<long_encoded_token_string>&format=stix2.0
After: stix://otx.alienvault.com/otxapi/pulses/5ee7247cdb3820b358b37a71/export/?format=stix2.0
- Note the change from https:// to stix://, as well as the removal of the 'token' parameter.
4) With the OTX API key and the TAXII threat-feed URL ready, log in to the FortiGate web GUI and navigate to Security Fabric -> External Connectors. Select 'Create New' in the top-left corner, then navigate to the bottom of the page and select the type of Threat Feed to be created.
Options include FortiGuard Category, IP Address, Domain Name, and Malware Hash.
- In this example, FortiGuard Category will be used as the external connector type.
5) In the Connector Settings, fill in the required fields using the information obtained in earlier steps, then select 'OK' to save the configuration.
- The 'Update method' can remain as External Feed.
- The 'URI of external resource' must start with 'stix://' when connecting to TAXII-based feeds, otherwise, the downloaded entries may be shown as invalid.
- Enable the 'HTTP basic authentication' toggle, then enter the OTX API key in the 'Username' field. As per AlienVault's documentation, the 'Password' field is not checked and so any value can be entered.
- The 'Refresh Rate' does not need to be altered in the case of AlienVault, but other threat-feed providers might impose rate-limits that require adjusting the refresh-rate.
6) On Security Fabric -> External Connectors, use the refresh button on the top-right hand corner of the newly-created External Connector to manually trigger the FortiGate to download the threat-feed entries.
- This process may take 1-2 minutes to complete, and it may initially take 1-2 refresh attempts. When completed successfully a green circle with a checkmark will appear on the external-connector.
- Hovering over the external-connector's icon will list the number of valid/invalid entries received on the connector.
- Note: the FortiGate is limited to a maximum of 131,072 entries per-resource by-design. The FortiGate will still download entries for threat-feeds with a greater number of entries than the limit, but additional entries over the limit will not be loaded, displayed, or utilized.
 |
