Blocking malicious domains using threat feeds

Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin

In this recipe, you use a domain name threat feed and FortiGate DNS filtering to block malicious domains. The example text file used is a list of gambling site domain names.

Threat feeds allow you to dynamically import external block lists in the form of a text file into your FortiGate. These text files, stored on an HTTP server, can contain a list of web addresses or domains. You can use threat feeds to deny access to a source or destination IP address in Web Filter and DNS Filter profiles, SSL inspection exemptions, and as a Source/Destination in proxy policies. You can use Fabric Connectors for FortiGate devices that don’t belong to a Fortinet Security Fabric.

1. Creating your external block list

The external block list should be a plain text file with one domain name for each line. The use of simple wildcard is supported.

You can create your text file or download it from an external service. Once you have the text file, upload it to your HTTP file server.

Example text file:

2. Configuring the threat feed

To configure a domain name threat feed, go to Security Fabric > Fabric Connectors and select Create New.

Scroll down to Threat Feeds and select Domain Name.

Enter the Name of the connector (in this example, gambling-domains), the URI of external resource (http: //172.25.175.222/external-resource-files/gambling-domains.txt), and the Refresh Rate. By default, your FortiGate re-reads the file and uploads any changes every five minutes.

Click on View Entries to see the list of domains in the text file.

3. Adding the threat feed to your DNS filter 

To add the threat feed to your DNS filter, go to Security Profiles > DNS Filter and scroll down to the list of preconfigured FortiGuard filters.

The resource file you uploaded in step 1 is listed under Remote Categories. Set that category to Block.

4. Configuring your outgoing internet policy

To add the DNS filter to your outgoing internet policy, go to Policy & Objects > IPv4 Policy. Enable DNS Filter and select an SSL Inspection profile.

5. Results

Visit one of the domains on the external resource file. In this example, we use 123gambling.com.

A Web Page Blocked! message appears.

Go to Log & Report > DNS Query. You can see that the domain  123gambling.com belongs to a blocked category.

For further reading, check out Security Fabric Connectors and Overriding  FortiGuard website categorization in the FortiOS 6.0 Handbook.

Judith Haney

Judith Haney

Technical Writer at Fortinet
Judith Haney is a Technical Writer on the FortiOS technical documentation team. She graduated with honours from Algonquin College's Technical Writer program in September 2015. In a previous lifetime, Judith earned degrees in Mathematics (B.S.) and French literature (M.A.).
Judith Haney
Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin