FortiGate Features that work after subscriptions expire

License-less FortiGate Protections

One of the things that I like about FortiGate firewalls is the fact that the majority of features are available without a license. As a general rule, Fortinet will want you to pay a subscription for any feature that has ongoing costs for them to run, such as:
- FortiGuard Updates (including Web Filtering, AV, IPS/IDS and WAF)
- Firmware Updates

To provide a more comprehensive list, the following features continue to work after your FortiGate subscriptions expire, the only exception are the virtual FortiGate firewalls which require a base license for this functionality:

When you are running a FortiGate without licenses (as a lot of lab units end up doing), there are ways to get dynamic updates. These are through the use of the External Threat Feeds. An external threat feed is a way for a FortiGate to pull a list of URLs, IPs, Domains, or a Malware Hash from a web site - generally as a text file. As with most things on the internet, there are paid feeds to enhance the security of your FortiGate, but there are also free open source feeds that can be used.

As an example of the feeds you can have with an external connector, the below CLI script installs some of the connectors that I personally use on my home FortiGate:

__________________________________________________________________________

config system external-resource
    edit "URLHaus Malicious Domains"
        set type domain
        set category 220
        set resource "https://malware-filter.gitlab.io/malware-filter/urlhaus-filter.txt"
    next
    edit "Facebook IPv4 Ranges"
        set type address
        set resource "https://raw.githubusercontent.com/SecOps-Institute/FacebookIPLists/master/facebook_ipv4_cidr_blocks.lst"
        set refresh-rate 43200
    next
    edit "LinkedIn IPv4 Ranges"
        set type address
        set resource "https://raw.githubusercontent.com/SecOps-Institute/LinkedInIPLists/master/linkedin_ipv4_cidr_blocks.lst"
        set refresh-rate 43200
    next
    edit "DigitalOcean IPv4 Addresses"
        set type address
        set resource "https://raw.githubusercontent.com/SecOps-Institute/Digitalocean-ASN-and-IPs-List/master/digitalocean_ip_cidr_blocks.lst"
        set refresh-rate 43200
    next
    edit "Akamai IPv4 Addresses"
        set type address
        set resource "https://raw.githubusercontent.com/SecOps-Institute/Akamai-ASN-and-IPs-List/master/akamai_ip_cidr_blocks.lst"
        set refresh-rate 43200
    next
    edit "SpamHaus Drop IP List"
        set type address
        set comments "The Spamhaus DROP (Don\'t Route Or Peer) lists are advisory \"drop all traffic\" lists, consisting of netblocks that are \"hijacked\" or leased by professional spam or cyber-crime operations"
        set resource "https://raw.githubusercontent.com/SecOps-Institute/SpamhausIPLists/master/drop.txt"
        set refresh-rate 60
    next
    edit "TOR Exit Nodes"
        set type address
        set resource "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst"
        set refresh-rate 60
    next
    edit "TOR Nodes"
        set type address
        set resource "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-nodes.lst"
        set refresh-rate 60
    next
    edit "emberstack Advertising list"
        set type domain
        set category 221
        set resource "https://raw.githubusercontent.com/emberstack/threat-feed/main/Feed/List/ThreatFeed.Domains.Advertising.txt"
        set refresh-rate 60
    next
    config system external-resource
    edit "Cloudflare-IPv4-IPs"
        set type address
        set resource "https://www.cloudflare.com/ips-v4"
    next
    edit "EasyPrivacy"
        set type domain
        set category 219
        set resource "https://v.firebog.net/hosts/Easyprivacy.txt"
        set refresh-rate 60
    next
    edit "Prigent-Ads Blacklist"
        set type domain
        set category 218
        set resource "https://v.firebog.net/hosts/Prigent-Ads.txt"
        set refresh-rate 60
    next
    edit "Simple Malvertising"
        set type domain
        set category 217
        set resource "https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt"
        set refresh-rate 60
    next
    edit "RiPiList Phishing"
        set type domain
        set category 216
        set resource "https://v.firebog.net/hosts/RPiList-Phishing.txt"
        set refresh-rate 60
    next
    edit "Pihole Porn Blocklist"
        set type domain
        set category 215
        set resource "https://raw.githubusercontent.com/chadmayfield/my-pihole-blocklists/master/lists/pi_blocklist_porn_top1m.list"
        set refresh-rate 60
    next
    edit "Prigent Adult Domains"
        set type domain
        set category 214
        set resource "https://v.firebog.net/hosts/Prigent-Adult.txt"
        set refresh-rate 60
    next
end

 __________________________________________________________________________

 

One thing to note, is that FortiGuard Category feeds still require a FortiGuard Web Filtering license to work, so you are best importing feeds as domain feeds if you are looking for free protections.

IP Lists and Domain Lists can be used within Firewall Policies. The IP Lists can be used as a source or destination for the Policy, and the domain list can be used within DNS Filtering profiles.


If you have any other feeds that are worthwhile using, please leave a comment below!

 

 


Comments

Post a Comment

Popular posts from this blog

NSE8 Lab Study Resources - Narbik CCIE R&S v5.1 Foundations

Image
 Hey All, I have been working on putting together some scenarios for lab practice and I've found myself falling back on some of the study materials I used when preparing for the CCIE EI (yet to obtain, on the list after the NSE8). A legendary trainer in this area is Narbik Kocharians CCIE 12410 who is the president of Micronics Networking and Training - his CCIE prep courses and text books are considered almost required reading for any serious candidate for this certification. His text books work through hands on labs that are focused on specific topics to help cement the theory of the different topics in the exam.  His textbook CCIE Routing and Switching 5.1 Foundations: Bridging the Gap between CCNP and CCIE is well aimed at the skill level required of the NSE8 and fortunately there is actually quite a bit of overlap in its 1100 pages. The chapters within the textbook are: 1. Physical Topology 2. Physical and Logical Topologies 3. Spanning Tree Protocol 4. Point-to-Point Protocol
Read more

Journey to the NSE8 - Change in tactic

 I've previously been studying the Secure Wireless LAN content in order to pass the final exam required for my NSE6 (on the way to the NSE8). Going over the material again at the moment I'm noticing that my study sessions are becoming a bit of a blur and I'm not absorbing the content as well as I should be, and I can see this track of study becoming like quicksand if I don't give myself a break from it. The NSE6 fortunately covers a lot of technologies, including FortiAuthenticator and FortiADC which are both heavily featured on the NSE8 blueprint. So from here Im going to review the training for the FortiADC and have a crack at that exam to finish off my NSE6
Read more

Specifying a domain name suffix for DHCP clients on a FortiGate (FortiOS)

Image
Domain Name Suffix You can specify a domain name suffix in a DHCP address pool on the FortiGate DHCP server . With this suffix assigned, the client only needs to input part of a domain name, and the system adds the domain name suffix for name resolution. For example a client can type in https://fortimanager in their web browser to access your fortimanager instance, instead of the FQDN of https://fortimanager.domain.local In FortiOS (current as of December 2022) this is configured via the CLI.   Configuration config system dhcp server     edit <#>          set domain <domain suffix>   In a full context this would be config system dhcp server     edit 1          set domain "lab.example.com"          set default-gateway 192.168.1.1          set netmask 255.255.255.0          set interface "port1"          config ip-range               edit 1                    set start-ip 192.168.1.100                    set end-ip 192.168.1.200               next         
Read more