FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 285404
Description This article describes how to block malicious domain names using a threat feed list.
Scope When it is necessary to use a domain name threat feed to block access to malicious websites using DNS UTM.
  1. For this demonstration, create a local file that includes a list of domains. It is important to note that the domains used in this example, such as Google and Facebook, are not actually malicious. They are included just for demonstration purposes.


If it is wanted to use a public URL that provides a list of domains containing examples of malicious URLs, here is one for reference.

URL Haus 


In this example, use IIS on a Windows Server to publish the URL:


Screenshot 2023-11-21 174045.png

  1. Create a Domain Name Threat Feed under Security Fabric -> External Connectors:


    Screenshot 2023-11-21 174420.png



    Screenshot 2023-11-21 174746.png

  is the IIS local server and the blocked.txt is the file shown in step 1, which contains the example domains.



  2. Validate that FortiGate can see the domain names, select under View Entry:


    Screenshot 2023-11-21 175102.png



    Screenshot 2023-11-21 175200.png


    Since it is possible to see both domains, FortiGate is now able to use this list as a domain name treat feed.



  3. Use a UTM DNS, to apply the custom domain list under Security Profiles -> DNS Filter.

    Now it is possible to see under remote categories the domain list: 'right-click' and select redirect to a block portal.


    Screenshot 2023-11-21 175451.png



  4. Create a policy to apply the DNS UTM.

    Is Mandatory to have Deep Inspections under SSL Inspection.


    Screenshot 2023-11-21 180117.png


    Config under CLI:

    config firewall policy

        edit 6
            set name "blocked domains"
            set uuid 11c01bc2-8891-51ee-3067-546b448ba38c
            set srcintf "port3"
            set dstintf "port1"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set srcaddr6 "all"
            set dstaddr6 "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy
            set ssl-ssh-profile "deep-inspection"
            set dnsfilter-profile "default"
            set nat enable



  5. From a PC try accessing the blocked domain.

    It is possible to see a warning from the browser related to the certificate or a blocked page:

    Screenshot 2023-11-21 172457.png


    Select Certificate is not valid to confirm the blocking from the FortiGuard SDNS Blocked page:


    Screenshot 2023-11-21 180820.png


    Here is another example without the certificate warning on Firefox: