FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jhussain_FTNT

Description


FortiOS version V6.2 onwards the external block list (threat Feed) in firewall policy can be done.
In addition to using the external block list for web filtering and DNS, use it in firewall policies.

This article describes how to use the external block list.

Solution


This version includes the following new features:

1) Policy support for external IP list used as source/destination address.
2) Support for IPv4 and IPv6 firewall policy only. ACL, DoS, NAT64, NAT46, shaping, local-in policy are not supported.
3) Support for both CLI and GUI.

Configuration.


Go to Security Fabric -> Fabric Connectors -> Threat Feeds -> IP Address, create or edit an external IP list object.



 
 
Select 'View Entries' to see the external IP list.
 
 
 
 
Then go to Policy&Objects -> IPv4 Policy, create new and on the destination specify the block list threat feed information.
 
 

 
 
Select 'Apply' so that if the user is trying to access the IP which is listed in threat feed will deny the connection.

To create an external iplist object using the CLI.
# config system external-resource
    edit "test-external-iplist-1"
        set status enable
        set type address
        set username ''
        set password ENC
        set comments ''
        set resource "http://100.100.100.100/ip_list_test/test-external-iplist-2.txt"
        set refresh-rate 15
    next
end
To apply an external IPlist object to the firewall policy using the CLI.
# config firewall policy
    edit 1
        set name "policyid-1"
        set srcintf "wan2"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "test-external-iplist-1"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set auto-asic-offload disable
        set nat enable
    next
Results.

If users are trying to access the IP list mentioned on the threat feed list connection will get dropped for the users.
 
 

 
Note.
 
The maximum size of the txt file for External threat list is recommended to be approximately less than 10MB.

 

The content of external feed can be monitored with the following API query:

https://x.x.x.x/api/v2/monitor/system/external-resource/entry-list/USOM/?

 

access_token=Hnb9ccdd17y10xnp7zn1mjtwkQ0nwN where 'USOM'  is the name of the external threat feed.

This API query will show both content of the feed and the latest status of feed update.

 

In case of a communication issue, the API query will report the status as 'error' similar to the

 

 

Following example :

ssener_0-1659431791004.jpeg

 

The following URL will provide only the status of the External connector without the content of it :

https://x.x.x.x/api/v2/monitor/system/external-resource/entry-list/USOM?status_only=true

Remark: In case of communication issues, FortiGate does not receive the updates but preserves the original file.