Description
This article describes how to use the external block list.
In FortiOS version V6.2 onwards, the external block list (threat feed) can be added to a firewall policy.
In addition to using the external block list for web filtering and DNS, it can be used in firewall policies.
Scope
FortiOS 6.2+.
Solution
This version includes the following new features:
- Policy support for external IP list used as source/destination address.
- Support for IPv4 and IPv6 firewall policy only. ACL, DoS, NAT64, NAT46, shaping, and local-in policy are not supported.
- Support for both CLI and GUI.
Note:
From version 7.2.4 and 7.4.0, the External Threat Feed object is now additionally supported in local-in policies. It can be added as a srcaddr or a dstaddr.
Configuration.
Go to Security Fabric -> Fabric Connectors -> Threat Feeds -> IP Address, and create or edit an external IP list object.
In case the list is available over a secure connection, starting FOS 7.0.8 and 7.2.4 there is the option to enforce remote server certificate validation:
set server-identity-check ?
none No certificate verification
basic Check server certifcate only.
full Check server certificate and domain match server certificate
In case mutual TLS authentication is needed, the FortiGate sends the Fortinet_Factory certificate. In order to be validated, the Fortinet_CA certificate should be imported on the remote server.
Select 'View Entries' to see the external IP list.
Then go to Policy&Objects -> IPv4 Policy, create a new one, and on the destination specify the block list threat feed information.
Select 'Apply' so that if the user is trying to access the IP that is listed in the threat feed will deny the connection.
To create an external iplist object using the CLI.
To apply an external IPlist object to the firewall policy using the CLI.
config firewall policy edit 1 set name "policyid-1" set srcintf "wan2" set dstintf "wan1" set srcaddr "all" set dstaddr "test-external-iplist-1" set action accept set schedule "always" set service "ALL" set logtraffic all set auto-asic-offload disable set nat enable next
Results.
If users are trying to access the IP list mentioned on the threat feed list, the connection will be dropped.
Note:
The maximum size of the text file for the External threat list is recommended to be approximately less than 10MB.
To add an external IP object from CLI on a local-in policy:
config firewall local-in-policy
edit 1
set uuid 6d2b3266-007f-51ee-a69c-8979765e0d51
set intf "port3"
set srcaddr "test-external-iplist-1" <--- Adding it as a source.
set dstaddr "all" <--- It is possible to also add it as a destination.
set service "HTTP"
set schedule "always"
next
end
The content of the external feed can be monitored with the following API query:
https://x.x.x.x/api/v2/monitor/system/external-resource/entry-list/USOM/?
access_token=Hnb9ccdd17y10xnp7zn1mjtwkQ0nwN where 'USOM' is the name of the external threat feed.
This API query will show both the content of the feed and the latest status of the feed update.
In case of a communication issue, the API query will report the status as an 'error' similar to the
Following example :
The following URL will provide only the status of the External connector without the content of it :
https://x.x.x.x/api/v2/monitor/system/external-resource/entry-list/USOM?status_only=true
Remark: In case of communication issues, FortiGate does not receive the updates but preserves the original file.
Below are the steps for configuring Windows PC as an external server for a threat feed:
1.Navigate to start and search for Turn windows features on or off.
2.Enable IIS(Internet Information service)
3.Navigate to the following path in pc C:\inetpub\wwwroot
4.Create a text file and add entries to that file.
5.Configure the URI link as http://<IP address of PC>/<filename.txt> on fortigate firewall.