Fortinet Document Library

Version:


Table of Contents

5.4.0
Download PDF
Copy Link

Creating a third party blacklist provider workflow

In this example, you will learn how to use your FortiManager to create a third party blacklist provider workflow.

Overview

You must create a script that will handle the entire workflow. Make sure the script can convert the third party blacklist into a FortiManager XML file.

From an external server, you must schedule the periodic execution of that script. Using the communication tools provided by the third party blacklist provider, the script will fetch the blacklist from the third party.

To create a script to handle a third party blacklist provider workflow:
  1. Convert the blacklist to a FortiManager XML file:

    The script will convert the blacklist to a FortiManager XML file. This XML file allows you to assign a category to each URL in the list, in addition to a default category. The default category is used as the return value when there is no match.

    Example of the FortiManager XML file format:

    <custom_url_list version="1.0">
     <head>
     <default_cate>142</default_cate>
     <description>the description</description>
     </head>
     <body>
     <url_entry>
     <url>http://www.url-0000001.com</url>
     <cate>79</cate>
     </url_entry>
     <url_entry>
     <url>http://www.url-0000001.com</url>
     <cate>28</cate>
     </url_entry>
     </body>
    </custom_url_list>

    The category value in <cate></cate> could be either a normal web filter category or a local category.

  2. Upload the XML file into FortiManager:

    The script uses SSH to connect to FortiManager and upload the XML file.

    CLI command:

    execute fmupdate <ftp|scp|tftp> import custom-url <xml filename> <ftp|scp|tftp details>

     

    Example:

    #     execute fmupdate scp import custom-url 20M-custom-url.xml 000.000.000.000 00 tmp/FORTIGUARD my_login my_password

    This operation will replace the current <custom-url> package!

    Do you want to continue? (y/n)y

     

    Start getting file from remote SCP Host...

    SCP transfer successful.

    Packing installation is in process...This could take some time.

    lccclient command result:Response=202|

     

    Update successfully

    In this example, FortiManager will upload the file from the following file:

    scp://my_login:my_password@000.000.000.000:00/temp/FORTIGUARD/20M-custom-url.xml

  3. Configure FortiManager to only use its local FortiGuard database or local blacklist database:
    1. Select one of the following:
      • Local FortiGuard database
      • Local blacklist database
      • Or both

      config fmupdate custom-url-list

      set db_selection <fortiguard-db|custom-url|both>

      end

  4. Test custom URLs managed by FortiManager:
    1. Use the CLI in FortiManager to send categorization requests for custom URLs managed by FortiManager.

      Example of the CLI command set:

      #     diagnose fmupdate fgd-url-rating FGT SN 1 www.foo.com

      url rating flags: 0x2 (2:EXACT_MATCH, 1:PREFIX_MATCH)

      rates according to url: 0x37 0x00 0x00 0x00

      rates according to ip: 0x00 0x00 0x00 0x00

      num_dots:-1, num_slash:-1

      database version: 16.45562

      0 ms

      The FGT SN can be any FortiGate SN.

      The returned category is in a hexadecimal output: 0x37.

      In decimal format, the category is 56 or Web Hosting.

    2. Note

      The memory capacity of the unit determines the number of URLs FortiManager can manage.

  5. Specify FortiManager as the FortiGuard server in FortiGate
    1. Go to your FortiGate CLI console and execute the following commands:

    config system centralmanagement

    set type fortimanager

    set {<IP_address> | <FQDN_address>}

    config serverlist

    edit 1

    set servertype

    update rating

    set serveraddress {<IP_address> | <FQDN_address>}

    next

    end

    set includedefaultservers disable

    end

Note

For further FortiManager information, refer to the FortiManager Administration Guides available in the Fortinet Document Library.

Creating a third party blacklist provider workflow

In this example, you will learn how to use your FortiManager to create a third party blacklist provider workflow.

Overview

You must create a script that will handle the entire workflow. Make sure the script can convert the third party blacklist into a FortiManager XML file.

From an external server, you must schedule the periodic execution of that script. Using the communication tools provided by the third party blacklist provider, the script will fetch the blacklist from the third party.

To create a script to handle a third party blacklist provider workflow:
  1. Convert the blacklist to a FortiManager XML file:

    The script will convert the blacklist to a FortiManager XML file. This XML file allows you to assign a category to each URL in the list, in addition to a default category. The default category is used as the return value when there is no match.

    Example of the FortiManager XML file format:

    <custom_url_list version="1.0">
     <head>
     <default_cate>142</default_cate>
     <description>the description</description>
     </head>
     <body>
     <url_entry>
     <url>http://www.url-0000001.com</url>
     <cate>79</cate>
     </url_entry>
     <url_entry>
     <url>http://www.url-0000001.com</url>
     <cate>28</cate>
     </url_entry>
     </body>
    </custom_url_list>

    The category value in <cate></cate> could be either a normal web filter category or a local category.

  2. Upload the XML file into FortiManager:

    The script uses SSH to connect to FortiManager and upload the XML file.

    CLI command:

    execute fmupdate <ftp|scp|tftp> import custom-url <xml filename> <ftp|scp|tftp details>

     

    Example:

    #     execute fmupdate scp import custom-url 20M-custom-url.xml 000.000.000.000 00 tmp/FORTIGUARD my_login my_password

    This operation will replace the current <custom-url> package!

    Do you want to continue? (y/n)y

     

    Start getting file from remote SCP Host...

    SCP transfer successful.

    Packing installation is in process...This could take some time.

    lccclient command result:Response=202|

     

    Update successfully

    In this example, FortiManager will upload the file from the following file:

    scp://my_login:my_password@000.000.000.000:00/temp/FORTIGUARD/20M-custom-url.xml

  3. Configure FortiManager to only use its local FortiGuard database or local blacklist database:
    1. Select one of the following:
      • Local FortiGuard database
      • Local blacklist database
      • Or both

      config fmupdate custom-url-list

      set db_selection <fortiguard-db|custom-url|both>

      end

  4. Test custom URLs managed by FortiManager:
    1. Use the CLI in FortiManager to send categorization requests for custom URLs managed by FortiManager.

      Example of the CLI command set:

      #     diagnose fmupdate fgd-url-rating FGT SN 1 www.foo.com

      url rating flags: 0x2 (2:EXACT_MATCH, 1:PREFIX_MATCH)

      rates according to url: 0x37 0x00 0x00 0x00

      rates according to ip: 0x00 0x00 0x00 0x00

      num_dots:-1, num_slash:-1

      database version: 16.45562

      0 ms

      The FGT SN can be any FortiGate SN.

      The returned category is in a hexadecimal output: 0x37.

      In decimal format, the category is 56 or Web Hosting.

    2. Note

      The memory capacity of the unit determines the number of URLs FortiManager can manage.

  5. Specify FortiManager as the FortiGuard server in FortiGate
    1. Go to your FortiGate CLI console and execute the following commands:

    config system centralmanagement

    set type fortimanager

    set {<IP_address> | <FQDN_address>}

    config serverlist

    edit 1

    set servertype

    update rating

    set serveraddress {<IP_address> | <FQDN_address>}

    next

    end

    set includedefaultservers disable

    end

Note

For further FortiManager information, refer to the FortiManager Administration Guides available in the Fortinet Document Library.