- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- FortiWebCloud
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- IP Threat Feed as Whitelist
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IP Threat Feed as Whitelist
Every couple minutes I query a few endpoints to gather a list of ipv4 public addresses for all of our remote work employees. These employees often travel and have ISPs that issue dynamic addresses, so this list will be dynamic.
I'm hesitant in creating a address group because this could be several thousand addresses. Not only that, address groups touch the firewall ssd/hdd drive so I worry that modifying addresses groups once a minute could be a heavy task on the firewall.
I'm wanting to use the External Connector Threat IP Feed as a whitelist on our SSLVPN portal. In the event that the .txt file can't be retrieved, this would need to fail open (allow all). I've tried forcing it to fail (changing the endpoint so it'll time out), but the log doesn't indicate it failed, thus I'm not able to use the Automation feature.
Any ideas on this?
FortiGate
FortiGate
Labels:
- Labels:
-
FortiGate
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am just trying to understand the requirement in a better way, when you say you are querying end points public address , they are already connected successfully to the VPN. What can the whitelist do now, as the users are already authenticated/connected?
Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No I'm querying endpoints like the FortiEMS. We manually install the FortiEMS on employee computers, so the public ip addresses that are successfully registered to the FortiEMS are the addresses that I want to use in this white list. All I have to do is query the FortiEMS to get a list of active client addresses.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Alanrs,
I believe using the external connector IP address threat feed should be feasible to utilize a dynamic list for your whitelist. Then in the event that the FortiGate failed to retrieve/update its thread feed, you can set an automation to allow all IPs into your SSLVPN instead.
The idea is to configure a trigger event ID 22221 (Threat feed update failed), then set an action to modify the "source-address" of the SSLVPN settings via CLI to "any".
I hope I understood your query.
Regards,
Denice
Regards,
Denice
Denice
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Q address groups touch the firewall ssd/hdd drive so I worry that modifying addresses groups once a minute could be a heavy task on the firewall.
Sol: This option is not resource-intensive and you can build the address group(s) . Firewall CPU and memory consumption can be monitored after the implementation.
However, you can still use the threat feed along with the custom IP group that can be built using something similar to this article.
In case the threat feed fails, you can use your custom block list build by using the following article
Amritpal Singh
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
Labels
-
FortiGate
7,297 -
FortiClient
1,439 -
5.2
801 -
5.4
639 -
FortiManager
629 -
FortiAnalyzer
472 -
6.0
416 -
FortiSwitch
380 -
FortiAP
380 -
5.6
362 -
FortiClient EMS
298 -
FortiMail
285 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
179 -
FortiNAC
130 -
6.4
128 -
FortiGuard
118 -
SSL-VPN
116 -
IPsec
112 -
FortiGateCloud
97 -
FortiSIEM
96 -
FortiCloud Products
90 -
FortiToken
79 -
Customer Service
71 -
Wireless Controller
66 -
4.0MR3
64 -
SD-WAN
57 -
FortiProxy
51 -
FortiADC
46 -
FortiEDR
46 -
Fortivoice
45 -
FortiDNS
42 -
FortiAuthenticator
38 -
FortiSandbox
37 -
Firewall policy
37 -
FortiExtender
36 -
FortiGate v5.4
36 -
VLAN
33 -
FortiSwitch v6.4
32 -
High Availability
32 -
DNS
26 -
ZTNA
25 -
LDAP
25 -
FortiWAN
24 -
FortiConnect
24 -
FortiConverter
23 -
BGP
22 -
FortiGate v5.2
22 -
Interface
22 -
Certificate
21 -
SAML
21 -
Authentication
20 -
Routing
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiLink
18 -
VDOM
17 -
RADIUS
16 -
Logging
16 -
FortiMonitor
15 -
NAT
15 -
FortiGate v5.0
14 -
Fortigate Cloud
14 -
FortiDDoS
14 -
Web profile
13 -
Virtual IP
13 -
SSL SSH inspection
13 -
Application control
12 -
FortiCASB
12 -
Traffic shaping
11 -
IP address management - IPAM
10 -
FortiManager v5.0
10 -
SSO
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
OSPF
9 -
4.0MR2
9 -
WAN optimization
9 -
Web application firewall profile
8 -
Static route
8 -
RMA Information and Announcements
8 -
FortiSOAR
8 -
Proxy policy
8 -
FortiAnalyzer v5.0
8 -
FortiBridge
8 -
SNMP
8 -
FortiAP profile
8 -
FortiGate v4.0 MR3
8 -
Admin
8 -
Security profile
7 -
Automation
7 -
4.0
7 -
Traffic shaping policy
6 -
trunk
6 -
IPS signature
5 -
Packet capture
5 -
Port policy
5 -
Antivirus profile
5 -
System settings
5 -
DNS Filter
5 -
FortiCache
5 -
FortiTester
5 -
FortiManager v4.0
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Web rating
4 -
Intrusion prevention
4 -
Traffic shaping profile
4 -
FortiPAM
4 -
Fortinet Engage Partner Program
4 -
FortiCarrier
4 -
3.6
4 -
FortiScan
4 -
DLP sensor
4 -
DoS policy
4 -
Email filter profile
3 -
Fabric connector
3 -
NAC policy
3 -
Users
3 -
Multicast routing
3 -
FortiToken Cloud
3 -
FortiHypervisor
3 -
Application signature
3 -
Authentication rule and scheme
3 -
DLP Dictionary
3 -
FortiDB
3 -
DLP profile
3 -
FortiInsight
2 -
File filter
2 -
Netflow
2 -
Protocol option
2 -
Zone
2 -
FortiNDR
2 -
FortiAI
2 -
Schedule
2 -
Explicit proxy
2 -
Internet Service Database
2 -
VoIP profile
2 -
4.0MR1
1 -
RIP
1 -
Multicast policy
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
TACACS
1 -
Replacement messages
1 -
FortiManager-VM
1 -
SDN connector
1 -
Service
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.