Export Details

ThreatQuotient provides the following details for this export:

Introduction

ThreatQuotient makes it easy for customers to export IOCs to their Fortinet FortiGate Firewall. The implementation is done using the Threat Feed Connectors feature available in FortiOS v6.0 and above. An export with IOCs is first created on ThreatQ and the export URL is installed FortiGate appliance.

This integration only works on FortiOS v6.0 and above.

Prerequisites

Before starting the integration, users are encouraged to familiarize themselves with the following documents:

• Fortinet Fortigate cookbook on blocking malicious domains using threat feeds - https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/85580
• Using Threat Feed Connectors in FortiOS v6.0 and above - https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-security-profiles/Web_Filter/Overriding%20FortiGuard%20website%20categorization.htm#External

Creating the Export

The export is a dynamic list of IOCs which should be configured on ThreatQ and provided to a FortiGate instance to read from.

See the Managing Exports topic for more details on ThreatQ exports.  

1. Select the Settings icon > Exports.

   The Exports page appears with a table listing all exports in alphabetical order.

2. Click Add New Export

   The Connection Settings dialog box appears.

3. Enter an Export Name.
4. Click Next Step.

   The Output Format dialog box appears.

5. Provide the following information:

   Field	Value
   Type of information you would like to export	Indicators
   Output Type	text/plain
   Special Parameters	There are two options for special parameters: If the security policy of your organization requires that all IP Addresses and FQDNs are sent to FortiGate, use these filters for the special parameters: indicator.status=Active&indicator. deleted=N&indicator.type=IP Address& indicator.type=FQDN To send only the IOCs that have a custom status, e.g. Send to FortiGate, use the special parameters below. To create the custom status: Follow the steps in the Indicator Status topic to create a status called Send to FortiGate. Use the following special parameter for your export: indicator.status=Send to FortiGate
   Output Template	{foreach $data as $indicator} {$indicator.value} {/foreach}

   Once configured, the export will look similar to the snapshot below.
   

Configuring FortiGate

The following section will provide you with steps and related resources to configure ForitGate to work with the export.  

Configure FortiGate to Download Indicators from ThreatQ

The following detailed steps have been copied from the FortiGate support center and provided here for convenience. The source is https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/85580

Blocking Malicious Domains using Threat Feeds

This example uses a domain name threat feed and FortiGate DNS filtering to block malicious domains. The text file in this example is a list of gambling site domain names.

Threat feeds allow you to dynamically import external block lists in the form of a text file into your FortiGate. These text files, stored on an HTTP server, can contain a list of web addresses or domains. You can use threat feeds to deny access to a source or destination IP address in Web Filter and DNS Filter profiles, SSL inspection exemptions, and as a source/destination in proxy policies. You can use Fabric connectors for FortiGate that do not belong to a Fortinet Security Fabric.

1. Create an external block list. The external block list should be a plain text file with one domain name per line. The use of simple wildcards is supported. You can create your own text file or download it from an external service. Upload the text file to the HTTP file server.
   
2. Configure the threat feed:
   1. In FortiOS, go to Security Fabric -> Fabric Connectors. Click Create New.
   2. Under Threat Feeds, select Domain Name.
   3. Configure the Name, URI of external resource, and Refresh Rate fields. In the URI of external resource field, enter the location of the text file on the HTTP file server. By default, the FortiGate rereads the file and uploads any changes every five minutes.
      
   4. Click View Entries to see the text file's domain list.
      
   5. Click OK.
3. Add the threat feed to the DNS filter:
   1. Go to Security Profiles -> DNS Filter.
   2. Scroll to the list of preconfigured FortiGuard filters.
   3. The resource file uploaded earlier is listed under Remote Categories. Set the action for this category to Block.
      
4. Configure the outgoing Internet policy:
   1. Go to Policy & Objects -> IPv4 Policy.
   2. Enable the DNS Filter under the Security Profiles.
   3. From the SSL Inspection dropdown list, select an SSL inspection profile.
5. View the results:
   1. Visit a domain on the external resource file. This example visits 123gambling.com. A Web Page Blocked! message appears.
      
   2. In FortiOS, go to Log & Report -> DNS Query. The logs show that the 123gambling.com domain belongs to a blocked category.
      

Change Log

• Version 1.0.0
  • Initial release