Setup of external feed
To add our feed, first navigate to the Security Fabric >> External Connectors section of the menu and click on +Create New button
Scroll down to Threat Feeds and select IP Address
Fill Name so it is easily identifiable for you e.g. ELLIO: Threat List MAX. As URL of external resource pass your link, disable HTTP basic authentication and set Refresh rate based on your subscription tier. Click on OK button
Once created, please wait for a few moments to download the latest version, if you are impatient as I am you can click on the refresh button located in the upper right corner. On mouse hover over the feed box information box will appear with more details. Once the feed is successfully downloaded you will see the number of entries, latest content update etc.
To see IP addresses we currently recommend to block you can click on View Entries.
Setup of Firewall rules
Once you have our feed available in your Fortigate instance you can create firewall rules based on it. To do so navigate to Policy & Objects >> Firewall Policy click on green plus to create a new rule.
Fill the Name with something easily identifiable e.g. ELLIO: FTL. As Incoming Interface select your WAN port as Outgoing interface your LAN interface. In case you have multiple interfaces of either type duplicate this rule for each of them. Upon clicking on + sign next to Source list of Entries will be displayed select one with a name you provided during setup of external feed. For Destination we recommend to set it to all. Schedule should be kept on always. From the list of services we recommend ALL and for Action please select DENY. Create this rule by clicking on the OK button.
Now rearrange the order of the firewall rules in such a way that the newly created firewall rule is above the rule that allows access to the services, simply by dragging it.
After some time you will see the amount of traffic blocked by our feed.
Note: In case you are using VIP for port-forwarding or any other use cases you might to have to turn on match-vip setting for firewall rule
To do so enter CLI, you can do it by clicking on cmd symbol >_ next to the question mark in the upper right corner.
Now type config firewall policy to get into config mode. Next execute show command to see all active policies – this we need to to find the number of our rule. In example below it’s number 4. Next execute following commands
edit 4
set match-vip enable
Save it by using end command
Note: FortiGate has a limit of ~130k IP addresses in a single external IP feed. You will receive 4 links from us. Use all 4 to create External Feed objects, and use them in Firewall as usual.
