Blogs

Using external threat feeds in FortiGate has become much easier

By Yuri posted Jul 29, 2020 11:13 AM

  

The Case in Point : How to block incoming connections sourced from IP addresses supplied as a list by a 3rd party commercial Threat Intelligence feed. 

Until FortiOS 6.0.1 we had to resort to custom scripting which downloaded those block lists, then parsed and compiled Fortigate CLI commands to add them as address objects, circumventing limitations by grouping addresses into Address Groups. In short,  it was doable but painful. But no more - starting with FortiOS 6.0.1 we have a Fabric Connector for the IP address/domains block lists which we can use in DNS FIltering (6.0.1 and newer) and also as regular Address objects in Source/Destination fields of Security Rules (starting with 6.2 and newer).

So let's see how to do it. For this post I will be using free "Bogons List" by Cymru Team as in the original case I was using commercial and confidential one which cannot be disclosed here. The idea is identical - the feed provider gives (usually) HTTP/HTTPS link to download IP block list. The list has to have IP address/network or domain per line and it must be readable as a plain text. Example:

# last updated 1595753401 (Sun Jul 26 08:50:01 2020 GMT)
0.0.0.0/8
5.44.248.0/21
5.57.208.0/21
5.172.176.0/21​


The FortiOS used here is 6.2.3. We start by creating new Fabric Connector: Security Fabric -> Fabric Connectors -> Create New -> Threat Feeds: IP Address.  In which we specify URL to download the block list, with optional Basic HTTP Authentication. It should look like this:

Creating a new Fabric Connector for the Feed

Upon saving, give it few minutes for the Fortigate to fetch the URL. When it is ready, the arrow will change from red to green:

Connector has not fetched yet
Connector has synchronized the feed


Once the Fabric Connector is synchronized with the feed, we can edit it to verify IPs/domains it downloaded:

Contents of the feed

What is left is to use this feed object in Security rule. Here I will create a new rule above the rule allowing HTTP/HTTPS access to the website with the action of Deny:

Security Rule
Security Rule

Key takeaway today - keep abreast of new major and minor FortiOS releases, as any update may introduce new feature that will make your life as Network/Security admin much easier.

4 comments
53 views

Permalink

Comments

25 days ago

Thank you. Do you have other examples for fabric connectors? The url you had was actually a working url, which is very good. All of the examples Fortinet has has urls in them that references private IP addresses, so technically they are useless.

26 days ago

Correct, port1 is Internet facing, port2 is LAN/DMZ. Access is inbound from the Internet inside.

26 days ago

I meant to say port2

26 days ago

Can I assume that port1 is the outside and port to is one of the inside interfaces?