Blocking malicious domains using threat feeds


In this recipe, you use a domain name threat feed and FortiGate DNS filtering to block malicious domains. The example text file used is a list of gambling site domain names.

Threat feeds allow you to dynamically import external block lists in the form of a text file into your FortiGate. These text files, stored on an HTTP server, can contain a list of web addresses or domains. You can use threat feeds to deny access to a source or destination IP address in Web Filter and DNS Filter profiles, SSL inspection exemptions, and as a Source/Destination in proxy policies. You can use Fabric Connectors for FortiGate devices that don’t belong to a Fortinet Security Fabric.

1. Creating your external block list

The external block list should be a plain text file with one domain name for each line. The use of simple wildcard is supported.

You can create your text file or download it from an external service. Once you have the text file, upload it to your HTTP file server.

Example text file:

2. Configuring the threat feed

To configure a domain name threat feed, go to Security Fabric > Fabric Connectors and select Create New.

Scroll down to Threat Feeds and select Domain Name.

Enter the Name of the connector (in this example, gambling-domains), the URI of external resource (http: //, and the Refresh Rate. By default, your FortiGate re-reads the file and uploads any changes every five minutes.

Click on View Entries to see the list of domains in the text file.

3. Adding the threat feed to your DNS filter 

To add the threat feed to your DNS filter, go to Security Profiles > DNS Filter and scroll down to the list of preconfigured FortiGuard filters.

The resource file you uploaded in step 1 is listed under Remote Categories. Set that category to Block.

4. Configuring your outgoing internet policy

To add the DNS filter to your outgoing internet policy, go to Policy & Objects > IPv4 Policy. Enable DNS Filter and select an SSL Inspection profile.

5. Results

Visit one of the domains on the external resource file. In this example, we use

A Web Page Blocked! message appears.

Go to Log & Report > DNS Query. You can see that the domain belongs to a blocked category.

For further reading, check out Security Fabric Connectors and Overriding  FortiGuard website categorization in the FortiOS 6.0 Handbook.

Fortinet Technical Documentation

Contact Fortinet Technical Documentation at
Fortinet Technical Documentation

Latest posts by Fortinet Technical Documentation (see all)