FortiGate Features that work after subscriptions expire
License-less FortiGate Protections
To provide a more comprehensive list, the following features continue to work after your FortiGate subscriptions expire, the only exception are the virtual FortiGate firewalls which require a base license for this functionality:
When you are running a FortiGate without licenses (as a lot of lab units end up doing), there are ways to get dynamic updates. These are through the use of the External Threat Feeds. An external threat feed is a way for a FortiGate to pull a list of URLs, IPs, Domains, or a Malware Hash from a web site - generally as a text file. As with most things on the internet, there are paid feeds to enhance the security of your FortiGate, but there are also free open source feeds that can be used.
As an example of the feeds you can have with an external connector, the below CLI script installs some of the connectors that I personally use on my home FortiGate:
__________________________________________________________________________
config system external-resource
edit "URLHaus Malicious Domains"
set type domain
set category 220
set resource "https://malware-filter.gitlab.io/malware-filter/urlhaus-filter.txt"
next
edit "Facebook IPv4 Ranges"
set type address
set resource "https://raw.githubusercontent.com/SecOps-Institute/FacebookIPLists/master/facebook_ipv4_cidr_blocks.lst"
set refresh-rate 43200
next
edit "LinkedIn IPv4 Ranges"
set type address
set resource "https://raw.githubusercontent.com/SecOps-Institute/LinkedInIPLists/master/linkedin_ipv4_cidr_blocks.lst"
set refresh-rate 43200
next
edit "DigitalOcean IPv4 Addresses"
set type address
set resource "https://raw.githubusercontent.com/SecOps-Institute/Digitalocean-ASN-and-IPs-List/master/digitalocean_ip_cidr_blocks.lst"
set refresh-rate 43200
next
edit "Akamai IPv4 Addresses"
set type address
set resource "https://raw.githubusercontent.com/SecOps-Institute/Akamai-ASN-and-IPs-List/master/akamai_ip_cidr_blocks.lst"
set refresh-rate 43200
next
edit "SpamHaus Drop IP List"
set type address
set comments "The Spamhaus DROP (Don\'t Route Or Peer) lists are advisory \"drop all traffic\" lists, consisting of netblocks that are \"hijacked\" or leased by professional spam or cyber-crime operations"
set resource "https://raw.githubusercontent.com/SecOps-Institute/SpamhausIPLists/master/drop.txt"
set refresh-rate 60
next
edit "TOR Exit Nodes"
set type address
set resource "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst"
set refresh-rate 60
next
edit "TOR Nodes"
set type address
set resource "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-nodes.lst"
set refresh-rate 60
next
edit "emberstack Advertising list"
set type domain
set category 221
set resource "https://raw.githubusercontent.com/emberstack/threat-feed/main/Feed/List/ThreatFeed.Domains.Advertising.txt"
set refresh-rate 60
next
config system external-resource
edit "Cloudflare-IPv4-IPs"
set type address
set resource "https://www.cloudflare.com/ips-v4"
next
edit "EasyPrivacy"
set type domain
set category 219
set resource "https://v.firebog.net/hosts/Easyprivacy.txt"
set refresh-rate 60
next
edit "Prigent-Ads Blacklist"
set type domain
set category 218
set resource "https://v.firebog.net/hosts/Prigent-Ads.txt"
set refresh-rate 60
next
edit "Simple Malvertising"
set type domain
set category 217
set resource "https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt"
set refresh-rate 60
next
edit "RiPiList Phishing"
set type domain
set category 216
set resource "https://v.firebog.net/hosts/RPiList-Phishing.txt"
set refresh-rate 60
next
edit "Pihole Porn Blocklist"
set type domain
set category 215
set resource "https://raw.githubusercontent.com/chadmayfield/my-pihole-blocklists/master/lists/pi_blocklist_porn_top1m.list"
set refresh-rate 60
next
edit "Prigent Adult Domains"
set type domain
set category 214
set resource "https://v.firebog.net/hosts/Prigent-Adult.txt"
set refresh-rate 60
next
end
__________________________________________________________________________
One thing to note, is that FortiGuard Category feeds still require a FortiGuard Web Filtering license to work, so you are best importing feeds as domain feeds if you are looking for free protections.
IP Lists and Domain Lists can be used within Firewall Policies. The IP Lists can be used as a source or destination for the Policy, and the domain list can be used within DNS Filtering profiles.
If you have any other feeds that are worthwhile using, please leave a comment below!
Comments
Post a Comment