All Collections
Integration Guide
FortiGate Fortinet EDL
FortiGate Fortinet EDL
H
Written by Hassan Shozeb
Updated over a week ago

About FortiGate EDL

Fortinet is an American multinational corporation headquartered in Sunnyvale, California. The company develops and sells cybersecurity solutions, such as physical firewalls, antivirus software, intrusion prevention systems, and endpoint security components.

External Block List (Threat Feed) for web filtering and DNS. You can also use External Block List (Threat Feed) in firewall policies.

Supported Action

S.no

Action

Description

1

Block IP

Block IP on FortiGate

2

Unblock IP

Unblock IP on FortiGate

3

Block Domain

Block domain on FortiGate

4

Unblock Domain

Unblock the domain on FortiGate

5

Block URL

Block URL on FortiGate

6

Unblock URL

Unblock URL on FortiGate

7

Block Hash

Block Hash on FortiGate

8

Unblock Hash

Unblock Hash on FortiGate

Enable FortiGate EDL App in SIRP

  1. First, log in to SIRP, then go to Apps from the left navigation bar.

  2. Locate the app named FortiGate EDL.

  3. Enable the FortiGate app by clicking on the toggle button under the Status.

  4. Once enabled, click on the configuration button to add the following configuration:

    1. Configuration Name <string with no spaces>

    2. EDL-Name <string with no spaces>

  5. Execute the following supported actions one by one on any particular container (incident or alert) or from Automation Playground:

    Block IP

    Block URL

    Block Domain

    Block Hash

  6. As each action gets executed, you will get unique URLs of the EDL files. For example:

https://<SIRP-IP>/2/Fortigate/fortigate-edl/ip_list.txt

https://<SIRP-IP>/2/Fortigate/fortigate-edl/domain_list.txt

https://<SIRP-IP>/2/Fortigate/fortigate-edl/url_list.txt

https://<SIRP-IP>/2/Fortigate/fortigate-edl/sha256_list.txt

Use these URLs to configure the EDL in the Sophos Firewall by following these steps:

  • Login to the FortiGate web console

  • Navigate to Security Fabrics > External Connectors

  • To create a new external connector click Create new

  • In Threat Feeds click on IP address:

    • Set the name of the connector

    • Set Status to Enabled

    • Set Update method to External feed

    • Paste the URL of IP-EDL in the field, URI of an external resource, and click OK.

  • Create a new connector in the same way for Domain EDL.

  • To create a new external connector click Create new

  • In Threat Feeds click on Domain name:

    • Set the name of the connector

    • Set Status to Enabled

    • Set Update method to External feed

    • Paste the URL of Domain-EDL in the field, URI of an external resource, and click OK.

  • Create a new connector in the same way for Domain EDL.

  • To create a new external connector click Create new

  • In Threat Feeds click on Malware Hash:

    • Set the name of the connector

    • Set Status to Enabled

    • Set Update method to External feed

    • Paste the URL of Domain-EDL in the field, URI of an external resource, and click OK.

  • Create a new connector in the same way for URL EDL.

  • To create a new external connector click Create new

  • In Threat Feeds click on FortiGuard Category:

    • Set the name of the connector

    • Set Status to Enabled

    • Set Update method to External feed

    • Paste the URL of Domain-EDL in the field, URI of an external resource, and click OK.

After the last step, you should be able to execute the FortiGate actions on-demand or through Playbooks to block and unblock IP, Domains, Hash &URLs.

Did this answer your question?