The following are the countries/regions that have Threat Feeds hosted by FortiGuard. These feeds are freely available and do not require authentication to utilize:

• IP ranges located in the region of Crimea:
  • https://filestore.fortinet.com/fortiguard/crimea_ip.list
• IP ranges located in the Donetsk People’s Republic (DNR) and the Luhansk People’s Republic (LNR) regions:
  • https://filestore.fortinet.com/fortiguard/dnr_lnr_ip.list
• IP ranges registered in Russia (as opposed to physically located):
  • https://filestore.fortinet.com/fortiguard/russia_reg_ip.list
• IP ranges registered in Iran (as opposed to physically located):
  • https://filestore.fortinet.com/fortiguard/iran_reg_ip.list
• IP ranges located in other disputed Ukrainian oblasts other than Crimea, the DNR and the LNR:
  
  • https://filestore.fortinet.com/fortiguard/ukraine_other_disputed_ip.list

If an IP address appeal needs to be submitted, refer to the IP Geolocation Appeal Form available on the FortiGuard website or send an email request to contact_geoip@fortinet.com

These Threat Feeds can be used on the FortiGate for the purposes of allowing/denying network access to/through the FortiGate (e.g. in Firewall Policies and Local-In Policies). For example, some regions are not configurable when using Geography Address objects on the FortiGate, and in certain legacy FortiOS versions (such as v 6.2 and older) it is not possible to toggle between registered location vs. physical location for GeoIP matching (see Additional Reading section below).

To configure these Threat Feeds, use the following steps:

Configuring Threat Feeds (GUI method):

1. In the FortiGate GUI, navigate to Security Fabric -> External Connectors and select the Create New button.
   • For VDOM-enabled FortiGates, Threat Feeds can either be configured in the Global VDOM (for all VDOMs to share) or in individual VDOMs.
2. Select Threat Feeds -> IP Address, then fill in the settings as follows:
   • The name can be set to an appropriate descriptive name for the Threat Feed. If the Threat Feed is configured in the Global VDOM then the name must be prefixed with 'g-' (e.g. 'g-FortiGuard_Crimea_IP_Feed')
   • URI of external resource will be set to one of the URLs specified above (e.g. 'https://filestore.fortinet.com/fortiguard/crimea_ip.list')
   • HTTP basic authentication can be toggled off (no authentication is required to access this feed).
   • Refresh Rate may be adjusted between 1-43200 minutes (default is every 5 minutes).
3. Select the OK button to commit the change. After a brief wait, the connector will show a green checkmark indicating that the FortiGate was able to reach the FortiGuard servers over the Internet and retrieve the Threat Feed list. Hovering over the connector will allow the received entries to be viewed.

Configuring Threat Feeds (CLI Method):

Run the following commands in the CLI to configure an external Threat Feed connector:

config system external-resource

edit <Name of Threat Feed connector>

set status enable

set type address

set resource <URL of Threat Feed>

set refresh-rate <1-43200, default = 5 minutes>

end

Related documents:

Technical Tip: Registered location and physical location of IP addresses

FortiGate Administration Guide - Configuring a Threat Feed

FortiManager Administration Guide - Creating threat feed connectors