Technical Tip: Types of External Threat Feed and their locations in the GUI

FortiGate.

There are 5 types of External Threat Feed.

1. FortiGuard Category.
2. IP Address.
3. Domain Name.
4. Malware Hash.
5. Mac address (7.4.0 onwards).
   

CLI commands to view the type of the External Threat Feed:

config system external-resource

edit "test-ip"

set type address<----- This IP address will be in the DNS profile under the external-ip-blocklist. This can also be used under IPv4 policies as Source/Destination.

set resource "http://1.1.1.1"

next

edit "Test-domain"

set type domain <----- This category will be in the DNS filter profile only.

set category 192

set resource "http://2.2.2.2"

next

edit "Test-cat"

set type category

set category 193 <----- This category will be in the Web-filter profile only.

set resource "http://3.3.3.3"

next

edit "Test-Hash"

set type malware <----- This Hash list will be in the antivirus profile.

set resource "http://4.4.4.4"

next

end

From 7.4.0 onwards, a 5th category has been introduced under the name 'mac address'.

edit "mac address"

set type mac-address <----- This can be used as a source in firewall policies, proxy policies, and ZTNA rules. For policies in transparent mode or the Firewall Virtual Wire Pair Policy, the MAC Address Threat Feed can be used as a source or destination address.

set resource "http://5.5.5.5"

next

The GUI Location to view each External Threat Feed is as follows:

1. FortiGuard Category.

2. IP Address.

3. Domain Name.

4. Malware Hash.

The resource will automatically be used for Virus Outbreak Prevention on AntiVirus profiles where the 'External Malware Block List' is enabled.