This article describes how to configure an External Threat Feed for Web Filtering. The reason to use an External Threat Feed URL is that it is a scalable and manageable option if there is an extensive Static URL list to Allow/Monitor/Block using Fortiguard Web Filter.

For example, if there are over 70,000+ URL entries in the web filter's static URL filter, this can cause scalability and manageability issues, whereby adding an entry can take a long time for the list to get updated, and the GUI can become very sluggish.

In addition to that, whereby duplicate URLs are inputted, and if each of the duplicates has a different action, it may cause FortiGate to incorrectly block the URL.

Furthermore, with an External URL Threat Feed, it is easily possible to search for any potential duplicate URLs using the text editor's built-in features.

1. Create an External Threat Feed. This can be done on Windows Server OS or any program that can act as a web server.

   On the respective operating system, simply create a plain text file with URL entries.

   Ensure this threat feed can be accessed through the web browser.

Example: 

Accessed through Google Chrome:

2. Connect the FortiGate to the External URL List.

In the GUI, go to Security Fabric -> External Connectors, select 'Create New', scroll down, and under Threat Feeds, select FortiGuard Category. 

3. Configure it as such. The URL should be able to resolve the static URL list created on the web server in the earlier steps.

4. After configuring, the status of the Threat Feed should be valid and have a green check mark.

5. Select the 'View Entries' button to view the contents of the External URL List. All entries should be deemed Valid by FortiGate.

6. Go to the Web Filter on FortiGate to configure the Actions to be taken for the URLs in this list. On the GUI, go to Security Profiles -> Web Filter, and select the Web Filter profile to implement the External URL List.

7. In policy-based mode on a FortiGate firewall, to add an external threat feed URL for a FortiGuard category in a firewall policy, follow these steps: Navigate to Policy & Objects, expand the dropdown, and select Security Policy. Choose the desired policy and click 'Edit'. Select the URL category, scroll down to FortiGuard Category Threat Feed, and select the added threat feed.

Note: To view the Security Policy tab under Policy & Objects, refer to the following article to enable policy-based NGFW mode: ngfw policy - FortiGate administration guide.

Example: FortiOS 7.4.7 version.

The external URL list can be found under FortiGuard Category Based Filter -> Remote Categories.

Actions such as Allow, Monitor, Block, Warning, or Authenticate can be applied.

In this case, for testing purposes, Block will be selected as seen in the screenshot above.

Results:

As cnn.com is a URL in the External URL Threat List, it is blocked.

In the Category parameter of the Block message, it may belong to the External Connector that was configured earlier.

Note: The object that is created in the external connector for the FortiGuard category will be visible in the web filter remote category, but in IPv4 policy, it is not visible as the address object in source and destination addresses.

For any traffic that can potentially match to a policy with URL Category filtering then the PME will perform a FortiGuard category rating lookup. As long as url-category is used, a FortiGuard license is required, per design.