FortiGuard category threat feed
A FortiGuard category threat feed is a dynamic list that contains URLs and is periodically updated from an external server. The list is stored in text file format on an external server. After the FortiGate imports this list, it becomes available as a category in the Remote Categories group of web filter profiles that can be used to block or monitor URLs matching this category. A category threat feed can also be used solely or grouped with other categories to be used for exemptions within an SSL/SSH profile that performs full SSL inspection.
Multiple custom categories can be defined by creating a FortiGuard Category threat feed for each category.
Text file example:
http://example/com.url https://example.com/url http://example.com:8080/url
The file contains one URL per line. See External resources file format for more information about the URL list formatting style.
Example configuration
In this example, a list of URLs is imported using the FortiGuard category threat feed. The newly created threat feed is set to block in the web filter profile, and the web filter profile is applied to a firewall policy. Any traffic that passes through the FortiGate and matches the URLs in the threat feed list will be dropped.
To configure a FortiGuard category threat feed in the GUI:
-
Go to Security Fabric > External Connectors and click Create New.
-
In the Threat Feeds section, click FortiGuard Category.
-
Set the Name to Custom-Remote-FGD.
-
Set the Update method to External Feed.
-
Set the URI of external resource to https://192.168.10.13/Override_URLs.txt.
-
Configure the remaining settings as needed, then click OK.
-
Edit the connector, then click View Entries to view the URL in the feed, which is https://www.facebook.com.
To configure a FortiGuard category threat feed in the CLI:
config system external-resource edit "Custom-Remote-FGD" set type category set category 192 set resource "https://192.168.10.13/Override_URLs.txt" set server-identity-check {none | basic | full} next end
To improve the security of the connection, it is recommended to enable server certificate validation ( |
To apply a FortiGuard category threat feed in a web filter profile:
- Go to Security Profiles > Web Filter and create a new web filter profile, or edit an existing one.
- Enable FortiGuard Category Based Filter.
-
In the Remote Categories group, set the action for the Custom-Remote-FGD category to Block.
- Configure the remaining settings as needed, then click OK.
Selecting the Allow action for the FortiGuard Category Based Filter does not actually allow the category. It merely implies that no filter has been applied.
We recommend avoid using the Allow action for remote categories, as it will not override the original action specified in the FortiGuard Category Based Filter.
The Monitor and Block actions for remote categories can override the original action specified in the FortiGuard Category Based Filter.
To apply the web filter profile in a firewall policy:
-
Go to Policy & Objects > Firewall Policy and create a new policy, or edit an existing one.
-
Configure the policy fields as required.
-
Under Security Profiles, enable Web Filter and select the profile used in the previous procedure.
-
Enable Log Allowed Traffic.
-
Click OK.
URLs that match the FortiGuard category threat feed list are rated as the FortiGuard category threat feed, overriding their original domain rating. Use the FortiGuard Web Filter Lookup to check the original category of a URL.
To view the web filer logs:
-
Go to Log & Report > Security Events and select Web Filter.
-
View the log details in the GUI, or download the log file:
1: date=2023-02-06 time=09:31:04 eventtime=1675704664795395841 tz="-0800" logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" policyid=1 poluuid="e8b310ba-914f-51ed-9014-7b2a116f29ad" policytype="policy" sessionid=509983 srcip=172.20.120.13 srcport=54645 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" srcuuid="3342cb44-9140-51ed-5dbe-8e0787bedeec" dstip=157.240.3.35 dstport=443 dstcountry="United States" dstintf="port3" dstintfrole="wan" dstuuid="3342cb44-9140-51ed-5dbe-8e0787bedeec" proto=6 httpmethod="GET" service="HTTPS" hostname="www.facebook.com" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763" profile="default" action="blocked" reqtype="referral" url="https://www.facebook.com/"referralurl="https://www.google.com/url?url=https://www.facebook.com/&q=facebook&rct=j&sa=X&source=suggest&ct=res&oi=suggest_nav&usg=AOvVaw3XzIKieZE-CH5KqZaBe775&oq=facebook&gs_l=heirloom-hp..0.5j0i512i433i131i10l3j0i512i433i10l3j0i512i433i131i10l2j0i512i433i10.1716.3397.0.5824.8.8.0.0.0.0.85.609.8.8.0....0...1ac.1.34.heirloom-hp..0.8.608.798UUeJkbN0" sentbyte=527 rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied category in policy" ratemethod="domain" cat=192 catdesc="Custom-Remote-FGD"
Note that facebook.com, which was originally in the Social Networking category with a default action set to allow in the FortiGuard Category Based Filter, has been overridden by the block action of the remote category.
Applying a FortiGuard category threat feed in an SSL/SSH profile
A FortiGuard category threat feed can be applied in an SSL/SSH profile where full SSL inspection mode is used. The threat feed category can be selected in the exempt category list. HTTPS requests that match the URLs in the threat feed list will be exempted from SSL deep inspection. This example uses the Custom-Remote-FGD threat feed configured in the previous example.
To configure the SSL/SSH profile:
-
Go to Security Profiles > SSL/SSH Inspection and create a new profile, or edit an existing one.
-
Set the Inspection method to Full SSL Inspection.
-
In the Exempt from SSL Inspection section, locate Web categories. Click the + and add Custom-Remote-FGD in the FORTIGUARD CATEGORY THREAT FEED section.
-
Enable Log SSL exemptions.
-
Click OK.
To apply the SSL/SSH inspection profile in a firewall policy:
-
Go to Policy & Objects > Firewall Policy and create a new policy, or edit an existing one.
-
Configure the policy fields as required.
-
Under Security Profiles, set SSL Inspection to the profile used in the previous procedure.
-
Enable Log Allowed Traffic.
-
Click OK.
URLs that match the FortiGuard category threat feed list are rated as the FortiGuard category threat feed, overriding their original domain rating. Use the FortiGuard Web Filter Lookup to check the original category of a URL.
To view the SSL logs:
-
Go to Log & Report > Security Events and select SSL.
-
View the log details in the GUI, or download the log file:
1: date=2023-02-06 time=11:23:54 eventtime=1675711434094550877 tz="-0800" logid="1701062009" type="utm" subtype="ssl" eventtype="ssl-exempt" level="notice" vd="root" action="exempt" policyid=1 poluuid="e8b310ba-914f-51ed-9014-7b2a116f29ad" policytype="policy" sessionid=531331 service="SSL" profile="custom-deep-inspection" srcip=172.20.120.13 srcport=52805 srccountry="Reserved" dstip=157.240.3.35 dstport=443 dstcountry="United States" srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="wan" srcuuid="3342cb44-9140-51ed-5dbe-8e0787bedeec" dstuuid="3342cb44-9140-51ed-5dbe-8e0787bedeec" proto=17 tlsver="tls1.3" sni="www.facebook.com" cipher="0x1301" authalgo="ecdsa" kxproto="ecdhe" eventsubtype="user-category" cat=192 catdesc="Custom-Remote-FGD" hostname="www.facebook.com" msg="SSL connection is exempted based on user category rating.