Fortinet black logo

Administration Guide

White/Black Lists

Copy Link
Copy Doc ID 7885f8f7-912a-11e9-81a4-00505692583a:424543
Download PDF

White/Black Lists

White and black lists help improve scan performance and malware catch rate as well as reduce false positives and can be appended to, replaced, cleared, deleted, and downloaded. These lists contain file checksum values (MD5, SHA1, or SHA256) and domain/URLs. Domain and URL lists are used in both file and URL scanning. For files, the file's downloading URL is checked against the list. Wild Card formats, like *.domain, are supported. For example, when the user adds windowsupdate.microsoft.com to the White Domain List, all files downloaded from this domain will be rated as Clean files immediately. If the user adds *.microsoft.com to the White Domain List, all files downloaded from sub-domains of microsoft.com will be rated as Clean immediately.

For URLs, you can add a raw URL or a regular expression pattern to the list. For example, if the user adds .*amazon.com/.*subscribe to the white list, all subscription URLs from amazon.com will be immediately rated as Clean. This way, subscription links will not be opened inside the VM and become invalid.

  • If a white list entry is hit, the job rating will be Clean with a local overwrite flag.
  • If a black list entry is hit, the job rating will be Malicious with a local overwrite flag. Malware names will be FSA/BL_DOMAIN, FSA/BL_MD5, FSA/BL_SHA1, or FSA/BL_SHA256.
  • If the same entry exists on both lists and is hit, the black list will take priority and the file will be rated Malicious.

To manage the White/Black list manually:
  1. Go to Scan Policy > White/Black List.
  2. Click the White List or Black List panel and the Detail panel will slide out from the right side.
  3. Click the head of each type to expand or collapse the list.
  4. Click the + button to add a new entry.
    caution icon

    The URL pattern will have a higher rating priority than a domain pattern. For example, if you enter *.microsoft.com in a domain white list and http://www.microsoft.com/*abc/bad.html in a URL black list, a file from http://www.microsoft.com/1abc/bad.html will be rated as Malicious.

    Alternatively, click the Trash button to either remove the whole list or remove a single entry.

  5. Click outside the Detail panel to accept the change.
To manage the White/Black list through files:
  1. Go to Scan Policy > White/Black List.
  2. Click the File Upload icon for either the White List or Black List.
  3. Select the list type from the dropdown menu:
    • Domain
    • MD5
    • SHA1
    • SHA256
    • URL
    • URL REGEX
  4. Select the Action to take from the dropdown menu:
    • Append: Add checksums to the list.
    • Replace: Replace the list.
    • Clear: Remove the list.
    • Download: Download the list to the management computer.
    • Delete: Delete an entry from the list if the entry is in the uploaded file.
  5. If the action is Download, click OK to download the list file to the management computer.
  6. If the action is Append or Replace, click Choose File, locate the checksum file on the management computer, then click OK.
  7. If the action is Clear, click OK to remove the list.

In a Cluster setting, White/Black lists should only be created on the Master node. They will be synchronized to other nodes.

The total number of URL REGEXs in White/Black list should be less than 1,000. The total number of Domains plus URLs in White/Black list should be less than 50,000.

White/Black Lists

White and black lists help improve scan performance and malware catch rate as well as reduce false positives and can be appended to, replaced, cleared, deleted, and downloaded. These lists contain file checksum values (MD5, SHA1, or SHA256) and domain/URLs. Domain and URL lists are used in both file and URL scanning. For files, the file's downloading URL is checked against the list. Wild Card formats, like *.domain, are supported. For example, when the user adds windowsupdate.microsoft.com to the White Domain List, all files downloaded from this domain will be rated as Clean files immediately. If the user adds *.microsoft.com to the White Domain List, all files downloaded from sub-domains of microsoft.com will be rated as Clean immediately.

For URLs, you can add a raw URL or a regular expression pattern to the list. For example, if the user adds .*amazon.com/.*subscribe to the white list, all subscription URLs from amazon.com will be immediately rated as Clean. This way, subscription links will not be opened inside the VM and become invalid.

  • If a white list entry is hit, the job rating will be Clean with a local overwrite flag.
  • If a black list entry is hit, the job rating will be Malicious with a local overwrite flag. Malware names will be FSA/BL_DOMAIN, FSA/BL_MD5, FSA/BL_SHA1, or FSA/BL_SHA256.
  • If the same entry exists on both lists and is hit, the black list will take priority and the file will be rated Malicious.

To manage the White/Black list manually:
  1. Go to Scan Policy > White/Black List.
  2. Click the White List or Black List panel and the Detail panel will slide out from the right side.
  3. Click the head of each type to expand or collapse the list.
  4. Click the + button to add a new entry.
    caution icon

    The URL pattern will have a higher rating priority than a domain pattern. For example, if you enter *.microsoft.com in a domain white list and http://www.microsoft.com/*abc/bad.html in a URL black list, a file from http://www.microsoft.com/1abc/bad.html will be rated as Malicious.

    Alternatively, click the Trash button to either remove the whole list or remove a single entry.

  5. Click outside the Detail panel to accept the change.
To manage the White/Black list through files:
  1. Go to Scan Policy > White/Black List.
  2. Click the File Upload icon for either the White List or Black List.
  3. Select the list type from the dropdown menu:
    • Domain
    • MD5
    • SHA1
    • SHA256
    • URL
    • URL REGEX
  4. Select the Action to take from the dropdown menu:
    • Append: Add checksums to the list.
    • Replace: Replace the list.
    • Clear: Remove the list.
    • Download: Download the list to the management computer.
    • Delete: Delete an entry from the list if the entry is in the uploaded file.
  5. If the action is Download, click OK to download the list file to the management computer.
  6. If the action is Append or Replace, click Choose File, locate the checksum file on the management computer, then click OK.
  7. If the action is Clear, click OK to remove the list.

In a Cluster setting, White/Black lists should only be created on the Master node. They will be synchronized to other nodes.

The total number of URL REGEXs in White/Black list should be less than 1,000. The total number of Domains plus URLs in White/Black list should be less than 50,000.