External Resources for DNS filter

External Resources for DNS filter

Introduction

External Resources is a new feature introduced in FortiOS 6.0. It provides a capability to dynamically import an external blacklist into an HTTP server. This feature enables FortiGate to retrieve a dynamic URL/Domain Name/IP

Address/Malware hash list from an external HTTP server periodically. FortiGate uses these external resources as Web Filter’s remote categories, DNS filter’s remote categories, policy address objects, or antivirus profile’s malware definitions. If external resources are updated, FortiGate objects are also updated dynamically.

External Resource is divided into four types:

l URL list (Type=category) l Domain Name List (Type=domain) l IP Address list (Type=address) l Malware hash list (Type=malware)

Remote categories and external IP block list

The DNS Filter profile can use two types of external resources: domain type and address type. Domain type resources file is a domain name list and address type resources file is an IP address list.

When a domain type external resource is configured, it is treated as a Remote Category in DNS Filter profile. If the domain name in DNS Query matches the entry in this external resource file, it is treated as the Remote Category and follows the action configured for this category in DNS Filter profile.

When an address type external resource is configured, it can be enabled as external-ip-blocklist in DNS Filter profile. If DNS resolved IP address in DNS response matches the entry in the external-ip-blocklist, this DNS Query is blocked by DNS Filter.

External Resources file format

File format requirements for External Resources file:

  • The file is in plain text format with each URL list/IP Address/Domain Name occupying one line.
  • The file is limited to 10 MB, and each line is limited to 128 KB (128 X 1024 entries). Line length limit is 4 KB characters.
  • The entry limit also follows the table size limitation defined by CMDB per model.
  • The External Resources update period can be set to 1 minute, hourly, daily, weekly, or monthly (43200 min, 30 days).
  • The External Resources type as category (URL list) and domain (Domain Name list) share the category number

range 192-221 (total of 30 categories).

  • There is no duplicated entry validation for External Resources file (entry inside each file or inside different files).

For Domain Name list (Type=domain):

  • Simple wildcard is allowed in domain name list, from example: *.test.com. l IDN (International Domain Name) is supported.

For IP Address list (Type=address):

  • IP address can be single IP address, subnet address, or address range, for example, 192.168.1.1, 192.168.10.0/24,192.168.100.1-192.168.100.254. l An address can be IPv4 or IPv6 address, for Type=address, IPv6 address does not need to be in [ ] format.

Configure External Resources from CLI

You can use CLI to configure External Resources files in an external HTTP server. Under Global, configure the External Resources file location and specify the resource type. DNS Filter can use domain type and address type external resources.

In the following example, configure a file “Ext-Resource-Type-as-Domain-1.txt” as type domain and it will be treated in DNS Filter as Remote Category name as “Ext-Resource-Type-as-Domain-1” and category-id 194. Configure another external resource file “Ext-Resource-Type-as-Address-1.txt” as type address, and this address object name is “ExtResource-Type-as-Address-1”:

config system external-resource edit “Ext-Resource-Type-as-Domain-1” set type domain <<<==== set category 194 <<<====

set resource “http://172.16.200.66/external-resources/Ext-Resource-Type-as-Domain-1.txt” set refresh-rate 1

next

edit “Ext-Resource-Type-as-Address-1″ set status enable set type address <<<==== set username ” set password set comments ”

set resource “http://172.16.200.66/external-resources/Ext-Resource-Type-as-Address-

1.txt” set refresh-rate 1

next

end

In each VDOM, domain type external resource can be used in DNS Filter as Remote Category. In the above example, Domain Name list in “Ext-Resource-Type-as-Domain-1.txt” file is treated as remote category (category-id 194). IP address list in “Ext-Resource-Type-as-Address-1.txt” file can be applied in DNS Filter as external-ip-blocklist. If DNS resolved IP address matches any entry in the list in that file, the DNS query is blocked. You should configure the action for this remote category and enable “external-ip-block-list” in a DNS Filter profile and apply it in the policy:

config dnsfilter profile edit “default” set comment “Default dns filtering.” config ftgd-dns config filters edit 1 set category 194 <<<==== domain list in Ext-Resource-Type-as-Domain-1.txt

treated as remote category 194

set action block

next edit 2 set category 12

next edit 3 next

end

end

set block-botnet enable

set external-ip-blocklist “Ext-Resource-Type-as-Address-1” <<<==== IP address in “ExtResource-Type-as-Address-1” file. next

end

config firewall policy edit 1 set name “DNSFilter” set srcintf “port10” set dstintf “port9” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set utm-status enable set logtraffic all set dnsfilter-profile “default” set profile-protocol-options “protocol” set ssl-ssh-profile “protocols”

set nat enable

next

end

Configure External Resources from GUI

To configure, edit, or view the entries for external resources from GUI:

  1. Go to Global > Security Fabric > Fabric Connectors.
  2. Click Create New and in the Threat Feeds section, select Domain Name or IP Address.
  3. Enter the Resource Name, URL, location of the resource file, resource authentication credentials, and Refresh Rate; and click OK to finish the Threat Feeds configuration.
  4. When the configuration is complete, double-click the Threat Feeds Object you just configured to open the Edit page; then click View Entries to view the entry list in the external resources file.
  5. Go to VDOM > DNS Filter and open a DNS filter profile. The configured external resources displays and you can apply it in each DNS Filter Profile: remote category or external IP block lists.

Log Example

Remote categories

In VDOM > Log & Report > DNS Query, some domains that match the Remote Category list are rated as Remote

Category, overriding their original domain rating.

CLI Example:

1: date=2019-01-18 time=13:49:12 logid=”1501054802″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”notice” vd=”vdom1″ eventtime=1547848151 policyid=1 sessionid=82998 srcipp=10.1.100.18 srcport=42985 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”default” xid=38234 qname=”www.example.com” qtype=”A” qtypeval=1 qclass=”IN” ipaddr=”93.184.216.34″ msg=”Domain is monitored” action=”pass” cat=196 catdesc=”Ext-Resource-Type-as-Domain-3″

2: date=2019-01-18 time=13:49:12 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1547848151 policyid=1 sessionid=82998 srcipp=10.1.100.18 srcport=42985 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”default” xid=38234 qname=”www.example.com” qtype=”A” qtypeval=1 qclass=”IN”

External-IP-Block-Lists

You can use Address Type external resources as external-ip-blocklist in DNS Filter Profile. If DNS Query resolved IP Address matches the entry in the external-ip-blocklist, this DNS query is blocked.

CLI Example:

1: date=2019-01-18 time=13:50:53 logid=”1501054400″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”warning” vd=”vdom1″ eventtime=1547848253 policyid=1 sessionid=83206 srcipp=10.1.100.18 srcport=47281 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”default” xid=7501 qname=”www.example.com” qtype=”A” qtypeval=1 qclass=”IN” msg=”Domain was blocked because it is in the domain-filter list” action=”redirect” domainfilteridx=0 domainfilterlist=”Ext-ResourceType-as-Address-1″

2: date=2019-01-18 time=13:50:53 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1547848253 policyid=1 sessionid=83206 srcipp=10.1.100.18 srcport=47281 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”default” xid=7501 qname=”www.example.com” qtype=”A” qtypeval=1 qclass=”IN”

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.