Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 7.6.2
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiProxy 7.6.2 Administration Guide
    7.6.2
    7.6.6
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.0
    7.0.19
    7.0.17
    7.0.0
    2.0.0
    1.2.0
    1.1.0
    1.0.0

    Configuring an external malicious URL feed with an API key

    Configuring an external malicious URL feed with an API key

    You can configure FortiProxy to consume an external malicious URL feed using API key authentication. This allows FortiProxy to integrate custom threat intelligence sources for automatically blocking malicious URLs in web traffic.

    To configure the external malicious URL feed in FortiProxy GUI:

    1. Go to Security Fabric > External Connectors and click Create New.

    2. In the Threat Feeds section, click FortiGuard Category.

    3. Set the Name to Custom_Malicious_URL_Feed.

    4. Set the Update method to External Feed.

    5. Set the URL of external resource to o http://172.18.20.80:8080/malicious-urls.

    6. Configure the remaining settings as needed, then click OK.

    To configure the external malicious URL feed in FortiProxy CLI:
    config system external-resource
    edit "Custom_Malicious_URL_Feed"
       set uuid a24fcf94-e00f-51ef-d901-d7632353620f
        set category 200
        set resource "http://172.18.20.80:8080/malicious-urls"
        set user-agent "Firefox\r\nAPI-Key:SECRETAPIKEY"
    next
end

    Option

    Description
    set category 200 Ensures the category ID is unique (valid range: 192 - 221).
    set resource Points to your locally hosted threat feed.
    set user-agent Sends the required API key via User-Agent.
    To apply a FortiGuard category threat feed in a web filter profile:
    1. Go to Security Profiles > Web Filter and create a new web filter profile, or edit an existing one.
    2. Enable FortiGuard Category Based Filter.

    3. In the Remote Categories group, set the action for the Custom_Malicious_URL_Feed category to Block.

      Selecting the Allow action for the FortiGuard Category Based Filter does not actually allow the category. It merely implies that no filter has been applied.

      We recommend avoid using the Allow action for remote categories, as it will not override the original action specified in the FortiGuard Category Based Filter.

      The Monitor and Block actions for remote categories can override the original action specified in the FortiGuard Category Based Filter.
    4. Configure the remaining settings as needed, then click OK.
    To apply the web filter profile in a policy:

    1. Go to Policy & Objects > Policy and create a new policy, or edit an existing one.

    2. Configure the policy fields as required.

    3. Under Security Profiles, enable Web Filter and select the profile used in the previous procedure.

    4. Enable Log Allowed Traffic.

    5. Click OK.

    To verify that FortiProxy is blocking malicious URLs:

    1. Visit a blocked URL from the feed, such as: http://malicious-site.com. A FortiProxy block page should appear.

    2. Go to Log & Report > Web Filter to to find the log for blocked requests categorized as Custom_Malicious_URL_Feed.

      Example log: 

      date=2025-01-31 time=14:18:02 logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" policyid=1 srcip=192.168.1.100 dstip=45.77.89.10 service="HTTP" hostname="malicious-site.com" action="blocked" cat=200 catdesc="Custom_Malicious_URL_Feed"

    Troubleshooting

    • If FortiProxy does not retrieve the feed, use these commands to check if FortiProxy can resolve and connect to the local server:

      • diagnose debug app dnsproxy -1

      • diagnose debug app forticron -1

      • diagnose debug enable

      Example output:

      http_request_make()-2292: HTTP request: http

      GET /malicious-urls HTTP/1.1

      Host: 172.18.20.80

      User-Agent: Firefox

      API-Key:SECRETAPIKEY

      Accept: */*

      Connection: close

    • If FortiProxy successfully connects, diagnose debug app forticron -1 should return HTTP 200 OK.

      Example log:

      HTTP/1.1 200 OK

      Server: Werkzeug/3.0.3 Python/3.10.12

      Date: Fri, 31 Jan 2025 20:49:02 GMT

      Content-Type: text/plain; charset=utf-8

      Content-Length: 126

      Connection: close

    • If the feed is accessible, FortiProxy will successfully retrieve and update the entries. If you receive 403 Forbidden, check if the API key is correctly set in User-Agent. Different providers may require different authentication methods (User-Agent, Authorization headers, URL params). Ensure your external server correctly returns TXT format (one URL per line).
    Previous
    Next

    Configuring an external malicious URL feed with an API key

    Configuring an external malicious URL feed with an API key

    You can configure FortiProxy to consume an external malicious URL feed using API key authentication. This allows FortiProxy to integrate custom threat intelligence sources for automatically blocking malicious URLs in web traffic.

    To configure the external malicious URL feed in FortiProxy GUI:

    1. Go to Security Fabric > External Connectors and click Create New.

    2. In the Threat Feeds section, click FortiGuard Category.

    3. Set the Name to Custom_Malicious_URL_Feed.

    4. Set the Update method to External Feed.

    5. Set the URL of external resource to o http://172.18.20.80:8080/malicious-urls.

    6. Configure the remaining settings as needed, then click OK.

    To configure the external malicious URL feed in FortiProxy CLI:
    config system external-resource
    edit "Custom_Malicious_URL_Feed"
       set uuid a24fcf94-e00f-51ef-d901-d7632353620f
        set category 200
        set resource "http://172.18.20.80:8080/malicious-urls"
        set user-agent "Firefox\r\nAPI-Key:SECRETAPIKEY"
    next
end

    Option

    Description
    set category 200 Ensures the category ID is unique (valid range: 192 - 221).
    set resource Points to your locally hosted threat feed.
    set user-agent Sends the required API key via User-Agent.
    To apply a FortiGuard category threat feed in a web filter profile:
    1. Go to Security Profiles > Web Filter and create a new web filter profile, or edit an existing one.
    2. Enable FortiGuard Category Based Filter.

    3. In the Remote Categories group, set the action for the Custom_Malicious_URL_Feed category to Block.

      Selecting the Allow action for the FortiGuard Category Based Filter does not actually allow the category. It merely implies that no filter has been applied.

      We recommend avoid using the Allow action for remote categories, as it will not override the original action specified in the FortiGuard Category Based Filter.

      The Monitor and Block actions for remote categories can override the original action specified in the FortiGuard Category Based Filter.
    4. Configure the remaining settings as needed, then click OK.
    To apply the web filter profile in a policy:

    1. Go to Policy & Objects > Policy and create a new policy, or edit an existing one.

    2. Configure the policy fields as required.

    3. Under Security Profiles, enable Web Filter and select the profile used in the previous procedure.

    4. Enable Log Allowed Traffic.

    5. Click OK.

    To verify that FortiProxy is blocking malicious URLs:

    1. Visit a blocked URL from the feed, such as: http://malicious-site.com. A FortiProxy block page should appear.

    2. Go to Log & Report > Web Filter to to find the log for blocked requests categorized as Custom_Malicious_URL_Feed.

      Example log: 

      date=2025-01-31 time=14:18:02 logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" policyid=1 srcip=192.168.1.100 dstip=45.77.89.10 service="HTTP" hostname="malicious-site.com" action="blocked" cat=200 catdesc="Custom_Malicious_URL_Feed"

    Troubleshooting

    • If FortiProxy does not retrieve the feed, use these commands to check if FortiProxy can resolve and connect to the local server:

      • diagnose debug app dnsproxy -1

      • diagnose debug app forticron -1

      • diagnose debug enable

      Example output:

      http_request_make()-2292: HTTP request: http

      GET /malicious-urls HTTP/1.1

      Host: 172.18.20.80

      User-Agent: Firefox

      API-Key:SECRETAPIKEY

      Accept: */*

      Connection: close

    • If FortiProxy successfully connects, diagnose debug app forticron -1 should return HTTP 200 OK.

      Example log:

      HTTP/1.1 200 OK

      Server: Werkzeug/3.0.3 Python/3.10.12

      Date: Fri, 31 Jan 2025 20:49:02 GMT

      Content-Type: text/plain; charset=utf-8

      Content-Length: 126

      Connection: close

    • If the feed is accessible, FortiProxy will successfully retrieve and update the entries. If you receive 403 Forbidden, check if the API key is correctly set in User-Agent. Different providers may require different authentication methods (User-Agent, Authorization headers, URL params). Ensure your external server correctly returns TXT format (one URL per line).
    Previous
    Next