Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
anoushiravan
Staff
Staff

Created on ‎09-29-2022 09:29 PM Edited on ‎10-30-2025 05:08 AM By Moderator

Article Id 225335

Technical Tip: How to block the web access using the external resources on FortiGate

Description This article describes how to block the web access by creating a block list of URLs or IP addresses on remote HTTP or HTTPS server (external resources) on FortiGate.
Scope FortiGate, DNS filter profiles that use external IP block lists to block DNS requests to certain IP addresses. 
Solution

The external resource in remote HTTP/HTTPS server must meet the following conditions:

  • The external resource file will be a plaintext format file, and each URL will be in a single line.
  • Each line can be an IP address or a subnet.
  • The file is limited to 10M.
  • The maximum number of lines is limited to 128K (128 x 1024 entries).
  • The line length limit is 4K characters.
  • The entries are also limited by the table size limitation defined by CMDB per model.

 

Example configuration via CLI:

 

config system external-resource
    edit "External-resource-files"
        set type address
        set resource "http://10.104.3.130/resources/urls"
        set refresh-rate 2
    next
end

 

Note: FortiGate will connect to the remote HTTP server every 2 minutes (set refresh-rate 2) for automatic updates. The default value of refresh-rate is 5 minutes but the value can be set between 1 and 43200. 

 

config dnsfilter profile
    edit "default"
        set external-ip-blocklist "External-resource-files"
    next
end


In order to see the external resource database on FortiGate, run the below command via CLI:

 

FortiGate # fnsysctl ls -l /var/log/external/

-rw-r--r-- 1 0 0 Mon Apr 25 04:15:19 2022 15762 ext-root.External-resource-files
-rw-r--r-- 1 0 0 Mon Apr 25 04:15:19 2022 33 ext-root.External-resource-files.csum
-rw-r--r-- 1 0 0 Mon Apr 25 04:15:19 2022 35 ext-root.External-resource-files.etag

 

Note: In an HA cluster, the external resource database is getting synced between slave units. An HA log message appears that states that the HA members are out-of-sync due to 'external-files'. This log will be generated when FortiGate starts to get the latest URL or IP list from the remote HTTP or HTTPS server:

 

date=2022-04-25 time=04:15:41 id=7090343938808087133 itime="2022-04-25 04:15:43" euid=3 epid=3 dsteuid=3 dstepid=3 logver=700020234 logid=0108037903 type="event" subtype="ha" level="information" msg="The sync status with the primary" logdesc="Synchronization status with primary" sync_type="external-files" sync_status="out-of-sync" eventtime=1650849342264133363 tz="+0300" devid="FG1K5DT365987569" vd="root" dtime="2022-04-25 04:15:41" itime_t=1650849343 devname="FW1"


Related documents:
External resources for web filter - FortiGate cookbook

Troubleshooting Tip: The external resource contains more entries than is supported
4733
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.