About FortiGate EDL
Fortinet is an American multinational corporation headquartered in Sunnyvale, California. The company develops and sells cybersecurity solutions, such as physical firewalls, antivirus software, intrusion prevention systems, and endpoint security components.
External Block List (Threat Feed) for web filtering and DNS. You can also use External Block List (Threat Feed) in firewall policies.
Supported Action
|
S.no |
Action |
Description |
|
1 |
Block IP |
Block IP on FortiGate |
|
2 |
Unblock IP |
Unblock IP on FortiGate |
|
3 |
Block Domain |
Block domain on FortiGate |
|
4 |
Unblock Domain |
Unblock the domain on FortiGate |
|
5 |
Block URL |
Block URL on FortiGate |
|
6 |
Unblock URL |
Unblock URL on FortiGate |
|
7 |
Block Hash |
Block Hash on FortiGate |
|
8 |
Unblock Hash |
Unblock Hash on FortiGate |
Enable FortiGate EDL App in SIRP
-
First, log in to SIRP, then go to Apps from the left navigation bar.
-
Locate the app named FortiGate EDL.
-
Enable the FortiGate app by clicking on the toggle button under the Status.
-
Once enabled, click on the configuration button to add the following configuration:
-
Configuration Name <string with no spaces>
-
EDL-Name <string with no spaces>
-
-
Execute the following supported actions one by one on any particular container (incident or alert) or from Automation Playground:
Block IP
Block URL
Block Domain
Block Hash
- As each action gets executed, you will get unique URLs of the EDL files. For example:
https://<SIRP-IP>/2/Fortigate/fortigate-edl/ip_list.txt
https://<SIRP-IP>/2/Fortigate/fortigate-edl/domain_list.txt
https://<SIRP-IP>/2/Fortigate/fortigate-edl/url_list.txt
https://<SIRP-IP>/2/Fortigate/fortigate-edl/sha256_list.txt
Use these URLs to configure the EDL in the Sophos Firewall by following these steps:
-
Login to the FortiGate web console
-
Navigate to Security Fabrics > External Connectors
-
To create a new external connector click Create new
-
In Threat Feeds click on IP address:
-
Set the name of the connector
-
Set Status to Enabled
-
Set Update method to External feed
-
Paste the URL of IP-EDL in the field, URI of an external resource, and click OK.
-
-
Create a new connector in the same way for Domain EDL.
-
To create a new external connector, click Create new
-
In Threat Feeds, click on Domain name:
-
Set the name of the connector
-
Set Status to Enabled
-
Set Update method to External feed
-
Paste the URL of Domain-EDL in the field, URI of an external resource, and click OK.
-
-
Create a new connector in the same way for Domain EDL.
-
To create a new external connector click Create new
-
In Threat Feeds click on Malware Hash:
-
Set the name of the connector
-
Set Status to Enabled
-
Set Update method to External feed
-
Paste the URL of Domain-EDL in the field, URI of an external resource, and click OK.
-
-
Create a new connector in the same way for URL EDL.
-
To create a new external connector click Create new
-
In Threat Feeds click on FortiGuard Category:
-
Set the name of the connector
-
Set Status to Enabled
-
Set Update method to External feed
-
Paste the URL of Domain-EDL in the field, URI of an external resource, and click OK.
-
After the last step, you should be able to execute the FortiGate actions on-demand or through Playbooks to block and unblock IP, Domains, Hash &URLs.