Integrate Threat Intelligence with Fortinet Fortigate

Introduction

In today’s cybersecurity landscape, protecting your network from evolving threats is crucial. One way to enhance your security posture is by integrating dynamic threat intelligence feeds, such as Indicators of Compromise (IoCs), into your Fortinet Firewall (FortiGate). This guide provides step-by-step instructions on how to integrate Q-Feeds, a dynamic and regularly updated source of IoCs, with your FortiGate firewall to automatically block malicious traffic and stay updated with the latest threat information.


Step 1: Obtaining Q-Feeds API Token

To start integrating Q-Feeds with your Fortinet Firewall, you will first need to obtain an API token. This token allows you to download IoC lists directly into your FortiGate firewall. Here’s how you can obtain the token:

  1. Request API Token:
    • Visit the Q-Feeds website to request a trial API token.
    • Alternatively, contact your account manager to obtain the token.
  2. API Token Usage:
    • The API token is essential for accessing Q-Feeds’ dynamic lists. This token is linked to your account and should be kept secure.

Step 2: Configuring Dynamic IoC Lists in FortiGate

Once you have the API token, follow these steps to configure dynamic IoC lists in your FortiGate NGFW:

  1. Navigate to Security Fabric:
    • Go to Security Fabric > External Connectors in your FortiGate dashboard.
    • Click on Create New to start adding a new IoC source.
  2. Select Connector Type:
    • Choose the appropriate connector type based on the IoC you wish to import:
      • IP Address: For lists of malicious IP addresses.
      • Domain Name: For lists of dangerous or phishing URLs.
  3. Set Parameters for Dynamic Lists:
    • Name: Enter a descriptive name for the list (e.g., “Dangerous IPs List”).
    • URI of External Resource: Input the URI provided by Q-Feeds (e.g., https://api.qfeeds.com/api.php?feed_type=XXXXX).
    • Limit: Optionally set a threshold for the number of IoCs being downloaded (recommended limit: 130,000).
    • HTTP Basic Authentication: Enable this option and enter your API token credentials.
    • Refresh Rate: Set the update frequency according to your network’s needs (refer to Q-Feeds’ documentation for recommended values).
    • Status: Toggle the status to “On” to activate the list.
  4. Finalize the Configuration:
    • After filling out all the required fields, click OK to create the connector.

Step 3: Applying IoCs in FortiGate Policies

After successfully importing the IoCs, you can use these lists in various FortiGate policies to enhance network security:

  • Web Filter and DNS Filter: Block access to malicious websites and phishing domains.
  • Antivirus Profile: Prevent infections from known malicious sources.
  • IPv4 and Proxy Policies: Use IoCs as source or destination criteria to filter network traffic.

These policies help ensure that your network is continuously protected against new and emerging threats.


Conclusion

By integrating Q-Feeds with your FortiGate firewall, you significantly enhance your network’s defenses. This integration enables your firewall to automatically update and apply the latest threat intelligence, keeping your organization safe from cyber threats. For more detailed information and troubleshooting, refer to the official Fortinet documentation or contact your account manager.


This article is designed to help network administrators and IT security professionals quickly and effectively integrate threat intelligence with Fortinet firewalls, ensuring robust network security with minimal manual intervention.