Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fsilva
Staff
Staff

Created on ‎11-22-2023 01:00 AM

Article Id 285404

Technical Tip: How to block domain name using Domain Name Threat Feed

Description This article describes how to block malicious domain names using a threat feed list.
Scope When it is necessary to use a domain name threat feed to block access to malicious websites using DNS UTM.
Solution
  1. For this demonstration, create a local file that includes a list of domains. It is important to note that the domains used in this example, such as Google and Facebook, are not actually malicious. They are included just for demonstration purposes.

 

If it is wanted to use a public URL that provides a list of domains containing examples of malicious URLs, here is one for reference.

URL Haus 

 

In this example, use IIS on a Windows Server to publish the URL:

 

Screenshot 2023-11-21 174045.png

  1. Create a Domain Name Threat Feed under Security Fabric -> External Connectors:

     

    Screenshot 2023-11-21 174420.png

     

     

    Screenshot 2023-11-21 174746.png

     

    10.0.100.2 is the IIS local server and the blocked.txt is the file shown in step 1, which contains the example domains.

     

     

  2. Validate that FortiGate can see the domain names, select under View Entry:

     

    Screenshot 2023-11-21 175102.png

     

     

    Screenshot 2023-11-21 175200.png

     

    Since it is possible to see both domains, FortiGate is now able to use this list as a domain name treat feed.

     

     

  3. Use a UTM DNS, to apply the custom domain list under Security Profiles -> DNS Filter.

    Now it is possible to see under remote categories the domain list: 'right-click' and select redirect to a block portal.

     

    Screenshot 2023-11-21 175451.png

     

     

  4. Create a policy to apply the DNS UTM.

    Is Mandatory to have Deep Inspections under SSL Inspection.

     

    Screenshot 2023-11-21 180117.png

     

    Config under CLI:


    config firewall policy
        edit 6
            set name "blocked domains"
            set uuid 11c01bc2-8891-51ee-3067-546b448ba38c
            set srcintf "port3"
            set dstintf "port1"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set srcaddr6 "all"
            set dstaddr6 "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy
            set ssl-ssh-profile "deep-inspection"
            set dnsfilter-profile "default"
            set nat enable
        next
    end

     

     

  5. From a PC try accessing the blocked domain.

    It is possible to see a warning from the browser related to the certificate or a blocked page:

    Screenshot 2023-11-21 172457.png

     

    Select Certificate is not valid to confirm the blocking from the FortiGuard SDNS Blocked page:

     

    Screenshot 2023-11-21 180820.png

     

    Here is another example without the certificate warning on Firefox:

     

    JeanPhilippe_P_0-1700643535146.png

 

 

 

 

 

 

5971
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.