By Manny Fernandez

September 20, 2019

Using Dynamic Address Lists in Fortigate Firewalls using 6.2.+

In 6.0, Fortinet released the ability to pull IP addresses from a web-server and use them in the configuration.  However there was limitations in how you could use it.  Here was the issue:

  • You create a list and host it on a web-server.
  • You could use the list in the DNS Filter.
  • So if we had 1.1.1.1 in the list, and we queried www.goodguy.com and the DNS server replied with 1.1.1.1 it would block the connection,  However if you opened your browser and in the URL bar typed http://1.1.1.1 it would permit the traffic.
  • There was no ability to authenticate.

This behavior changed in 6.2 and was enhanced even more in 6.2.1.  In 6.2 you were able to use the address list in address objects as source or destination and in 6.2.1 you were able to authenticate.  In this post, I will show you how to configure a list, post it to a web-server and configure the Fortigate.

Web Server

I am using a Synology NAS.  I added the web-server app to it.

2019-09-20_15-53-27.png

Next, I created a file with IP addresses using CIDR notation.  I named it IP-List1.txt

2019-09-20_16-01-13.png

Next, I uploaded the IP-List1.txt to the web-server under a virtual folder named Fortinet

2019-09-20_15-59-12.png

You can test it by pointing your browser to the web-server IP address followed by the Virtual folder ( Fortinet ) and then adding the file name ( IP-List1.txt ) and you show see something similar to what I have in the screenshot.

2019-09-20_16-07-32.png

Next we will:

  1. Go to Security Fabric
  2. Then choose Fabric Connector
  3. Then Create New

2019-09-20_16-08-18.png

Choose IP Address.  I will cover the other connectors in future posts.  I am so excited about these connectors.  It really makes a difference.

2019-09-20_16-10-14.png

Name the Connector with a descriptive name and enter the URL in the URI of external resource section.   You can play with the Refresh Rate if this is a highly dynamic list, otherwise the default should suffice.

Other options (not in 6.2.0 but 6.2.1) is the ability to use authentication.  This gives you an additional layer of security and for some third-party thread feeds and the like, this is required.

2019-09-20_16-10-50.png

Once you have the URL in and the status is set to on, you should see the green arrow pointing up on the bottom right.

2019-09-20_16-13-54.png

Now we will create a new policy.  As you can see there is a section in gray named IP ADDRESS THREAT FEED and it has the same icon as the connector we created.

2019-09-20_16-14-31.png

In this example, I am going to Deny all traffic to these IP addresses, however this COULD be used in the Source as well.

2019-09-20_16-15-21-2.png

By going back into the Fabric Connector we created, you will see the last time it updated.  Also, you can click the View Entries to see what is in the list.

2019-09-20_16-15-34.png

And there you go.  Hope this helps.

 

 

Recent posts