Fortinet FortiGate Guide

Use this guide to add Cybora to FortiGate using External Connectors. FortiGate imports the feed as a dynamic external object and keeps it synchronized from your feed URL.

What FortiGate can do with a Cybora feed

• IP address feeds can be used as source or destination objects in firewall policies, proxy policies, local-in policies, and ZTNA rules. They can also be used as an external IP block list in DNS filter profiles.
• Domain feeds become Remote Categories in DNS filter profiles and can be used to block or monitor matching domains.
• If you work with URL-style indicators, use the corresponding URL or FortiGuard Category style external feed supported by your FortiOS release. In practice, this means IP feeds are usually enforced through firewall policy objects, while domain feeds are usually enforced through DNS filtering.

Before you start

• Use a FortiGate or FortiOS release that supports Security Fabric > External Connectors.
• Make sure the FortiGate can reach your Cybora feed URL over HTTP or HTTPS.
• Use the correct Cybora feed type for your plan and use case.
• The feed file must be plain text with one entry per line.
• If you run multi-VDOM mode, decide whether the connector should be created in the global VDOM or in a specific VDOM before you start.

Create the external connector

1. Go to Security Fabric > External Connectors and click Create New.
2. Select the feed type that matches your Cybora feed. Use IP Address for IP indicators and Domain Name for domain indicators.
3. Enter a clear connector name.
4. Set Update method to External Feed.
5. Paste your Cybora feed URL into URL of external resource.
6. Leave HTTP basic authentication disabled unless your specific feed requires it.
7. Set the Refresh Rate to match your Cybora plan exactly. Only one request is permitted within the allowed interval. If the FortiGate polls more often than your plan allows, the feed may be blocked.
8. Save the connector and confirm that it is enabled.

Apply the feed in FortiGate

1. For IP address feeds, use the imported object as a source or destination in the relevant firewall policy.
2. For domain feeds, use the imported feed as a Remote Category in the DNS filter profile that is attached to your policy.
3. If you want matching traffic blocked, make sure the consuming policy or security profile is configured to deny or block traffic based on the imported feed.
4. Enable logging on the consuming policy or profile so you can validate matches and troubleshoot more easily.

Validation

1. Open the external connector and check Last Update and connection status.
2. Use View Entries to confirm that FortiGate has imported the expected indicators.
3. Confirm that the connector is referenced by the intended policy or DNS filter profile.
4. Test with known matching traffic and review the corresponding policy, DNS filter, or security logs.

If the FortiGate temporarily loses connectivity to the external server, the existing imported list can continue to work, but it will not refresh until connectivity is restored.

Further reading

• Configuring a threat feed
• External feeds
• IP address threat feed
• Domain name threat feed
• External feed connectors per VDOM