SOCFortress Integrations — FortiGate BlockList, File Hashes

SOCFortress
2 min readJul 16, 2023

Intro

FortiGate Dynamic BlockList — General Overview:
Threat feeds dynamically import external block lists from an HTTP server in the form of a plain text file.

Block lists can be used to enforce special security requirements, such as long term policies to always block access to certain websites, or short term requirements to block access to known compromised locations. The lists are dynamically imported, so that any changes are immediately imported by FortiOS.

There are four types of threat feeds:

  • FortiGuard Category.
  • IP Address
  • Domain Name
  • Malware Hash

External resources: file format

File format requirements for an external resources file:

  • The file is in plain text format with malware hash occupying one line.
  • The file is limited to 10 MB or 128 × 1024 (131072) entries, whichever limit is hit first.
  • The entry limit also follows the table size limitation defined by CMDB per model.
  • The external resources update period can be set to 1 minute, hourly, daily, weekly, or monthly (43200 min, 30 days).
  • There is no duplicated entry validation for the external resources file (entry inside each file or inside different files).
  • If the number of entries exceeds the limit, a warning is displayed. Additional entries beyond the threshold will not be loaded.

Malware File Hashes:
The file MUST contain one hash per line in the format:

<hex hash> [optional hash description]

Each line supports MD5, SHA1, and SHA256 hex hashes. It is automatically used for virus outbreak prevention on antivirus profiles with external-blocklist enabled.

Fortinet recommends that, for optimal performance, not to mix different hashes in the list. Only use one of MD5, SHA1, or SHA256.

Examples:

292b2e6bb027cd4ff4d24e338f5c48de

dda37961870ce079defbf185eeeef905 Trojan-Ransom.Win32.Locky.abfl

3fa86717650a17d075d856a41b3874265f8e9eab Trojan-Ransom.Win32.Locky.abfl

c35f705df9e475305c0984b05991d444450809c35dd1d96106bb8e7128b9082f Trojan-Ransom.Win32.Locky.abfl

NOTE: File hashes provided by SOCFOrtress’ blocklist service will include SHA256 for all file entries.

SOCFortress Threat Intel and FortiGate BlockList — File Hashes

Leveraging SOCFortress Threat Intel file hashes (SHA256) are exported and formatted as required by FortiGate firewalls. File hashes are updated every 24 hours and can be imported via HTTPS using basic auth.

To create a threat feed using FortiGate’s CLI:

config system external-resource
edit <name>
set status {enable | disable}
set type {category | address | domain | malware}
set category <integer>
set username <string>
set password <string>
set comments <string>
*set resource <resource-uri>
set user-agent <string>
*set refresh-rate <integer>
set source-ip <ip address>
set interface-select-method {auto | sdwan | specify}
next
end

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

--

--

SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).