Threat Feed in Fortigate (external IP blacklist).

Introduction

This post shows how to use external black or white list of IP addresses using a new feature called Threat Feed. Starting with FortiOS 6.2 it’s possible to import external IP address and Domain Name lists for using in Firewall Policies and DNS Filter profiles. FortiOS 6.0 allowed using imported lists in Proxy Polices, but not in Firewall Policies. I will use FortiOS 6.2.3 for demo purposes.

Before we start

It is recommended to use the latest version of FortiOS, because even version 6.2.1 contains some minor bugs related to Threat Feed. For example, one of the problems with 6.2.1 is that it won’t work with HTTP servers using chunked transfer encoding.

Step 1. Create a list of IP addresses.

Create a text file which contains the list of IP addresses. The following list contains valid formats of IP addresses/subnets/ranges:

192.168.1.100
172.200.0.0/16
192.168.1.0/24
172.16.10.1-172.16.10.100

Step 2. Host the file on HTTP server

Upload the created file to your HTTP server, because Fortigate will download the file from the server via HTTP protocol. If you don’t know which web server to use you can read this post, which shows how to setup lightweight HTTP server using Chrome extension.

Check that your file is accessible via HTTP protocol. As you can see I can access my file with IP addresses using the following URL http://192.168.0.185:8887/blacklist.txt :

Step 3. Create a Threat Feed

Go to Security Fabric -> Fabric Connectors and click on Create New.

Scroll down to Threat Feeds category and select IP address.

Set the Name and the URI of external resource to configure the Threat Feed. Disable HTTP authentication if you don’t use one. Click OK to save. Use the screenshot for reference:

Step 4. Verify the status of a new Threat Feed.

After you create the new Threat Feed you should see it in Security Fabric -> Fabric Connectors. Make sure it has a green up arrow which means it successfully downloaded the text file:

You can also right-click the new Thread Feed and select View Entries. You should see the imported entries like this:

Step 5. Use the Threat Feed in a policy

Go to Policy&Objects -> IPv4 Policy and create a new policy. Now you can add the newly created Threat Feed as a Source or Destination. As you can see on the image below the Blacklist resource was added to the list of available entries to choose from:

You can hover the mouse over the Threat Feed resource and will see the details just like with any other entry:

Conclusion

Now you know how to create your own black or white list of IP addresses and use it in your firewall policies. Thank you for reading.