Fortinet white logo
Fortinet white logo

Cookbook

Blocking malicious domains using threat feeds

Blocking malicious domains using threat feeds

This example uses a domain name threat feed and FortiGate DNS filtering to block malicious domains. The text file in this example is a list of gambling site domain names.

Threat feeds allow you to dynamically import external block lists in the form of a text file into your FortiGate. These text files, stored on an HTTP server, can contain a list of web addresses or domains. You can use threat feeds to deny access to a source or destination IP address in Web Filter and DNS Filter profiles, SSL inspection exemptions, and as a source/destination in proxy policies. You can use Fabric connectors for FortiGates that do not belong to a Fortinet Security Fabric.

  1. Create an external block list. The external block list should be a plain text file with one domain name per line. The use of simple wildcards is supported. You can create your own text file or download it from an external service. Upload the text file to the HTTP file server.

  2. Configure the threat feed:
    1. In FortiOS, go to Security Fabric > Fabric Connectors. Click Create New.
    2. Under Threat Feeds, select Domain Name.
    3. Configure the Name, URI of external resource, and Refresh Rate fields. In the URI of external resource field, enter the location of the text file on the HTTP file server. By default, the FortiGate rereads the file and uploads any changes every five minutes.

    4. Click View Entries to see the text file's domain list.

    5. Click OK.
  3. Add the threat feed to the DNS filter:
    1. Go to Security Profiles > DNS Filter.
    2. Scroll to the list of preconfigured FortiGuard filters.
    3. The resource file uploaded earlier is listed under Remote Categories. Set the action for this category to Block.

  4. Configure the outgoing Internet policy:
    1. Go to Policy & Objects > IPv4 Policy.
    2. Under Security Profiles, enable DNS Filter.
    3. From the SSL Inspection dropdown list, select an SSL inspection profile.
  5. View the results:
    1. Visit a domain on the external resource file. This example visits 123gambling.com. A Web Page Blocked! message appears.

    2. In FortiOS, go to Log & Report > DNS Query. The logs show that the 123gambling.com domain belongs to a blocked category.

Blocking malicious domains using threat feeds

Blocking malicious domains using threat feeds

This example uses a domain name threat feed and FortiGate DNS filtering to block malicious domains. The text file in this example is a list of gambling site domain names.

Threat feeds allow you to dynamically import external block lists in the form of a text file into your FortiGate. These text files, stored on an HTTP server, can contain a list of web addresses or domains. You can use threat feeds to deny access to a source or destination IP address in Web Filter and DNS Filter profiles, SSL inspection exemptions, and as a source/destination in proxy policies. You can use Fabric connectors for FortiGates that do not belong to a Fortinet Security Fabric.

  1. Create an external block list. The external block list should be a plain text file with one domain name per line. The use of simple wildcards is supported. You can create your own text file or download it from an external service. Upload the text file to the HTTP file server.

  2. Configure the threat feed:
    1. In FortiOS, go to Security Fabric > Fabric Connectors. Click Create New.
    2. Under Threat Feeds, select Domain Name.
    3. Configure the Name, URI of external resource, and Refresh Rate fields. In the URI of external resource field, enter the location of the text file on the HTTP file server. By default, the FortiGate rereads the file and uploads any changes every five minutes.

    4. Click View Entries to see the text file's domain list.

    5. Click OK.
  3. Add the threat feed to the DNS filter:
    1. Go to Security Profiles > DNS Filter.
    2. Scroll to the list of preconfigured FortiGuard filters.
    3. The resource file uploaded earlier is listed under Remote Categories. Set the action for this category to Block.

  4. Configure the outgoing Internet policy:
    1. Go to Policy & Objects > IPv4 Policy.
    2. Under Security Profiles, enable DNS Filter.
    3. From the SSL Inspection dropdown list, select an SSL inspection profile.
  5. View the results:
    1. Visit a domain on the external resource file. This example visits 123gambling.com. A Web Page Blocked! message appears.

    2. In FortiOS, go to Log & Report > DNS Query. The logs show that the 123gambling.com domain belongs to a blocked category.