Hosting Fortigate Threat Feed Data in a Private GitHub Repo
Fortigate firewalls allow for the configuration of external threat feeds. These are very usefull in some instances. I created a Youtube video on this topic a while back. If you are not yet familiar with this functionality you can visit the video here:
Configure and use 3rd Party threat feeds on a Fortigate Firewall
In the video mentioned above I referenced a use case, where one may choose to build some custom threat feeds for their organization. These could be used during incident response scenarios.
During an incident response you may come across various indicators of compromise, or indicators of attack. These can be IP addresses, Malware hashes, domain names that could be attributed to data exfiltration or command & control activity, or malicious URLs. The Fortigate NGFW platform has the ability to ingest threat feed data for each of these types. Typically these are downloaded by the Fortigate from a web service as a text file (http, https, and STIX protocols are supported). Feed data may also be updated by Push API updates to the Fortigate REST API (Topic for a Future Post).
External Feed Downloads Support only basic Authentication.
Fortinet Documentation outlines additional configuration and feed data format, as well as any specific size limitations etc:
Hosting Custom Feeds
Although it would be very easy to compile custom feed data into text files and host them on an internal webserver, this may not always be the best solution. In the event of a cybersecurity incident, these resources may become unavailable. Finding an external source to host your feed data may work better.
Benefits of Hosting on Github
Hosting feed data on Github comes with a number of benefits:
- A robust infrastructure that is highly available
- Git Repositories allow custom automation of updates and synchronization to the GitHub Repository.
- File Versioning and Change History, coupled with commit messages to identify why updates were added
- Private repositories can prevent external entities from accessing your feeds to gain insight into any potential compromise that you may be dealing with, or have dealt with in the past.
- Fine-Grained Personal Access Tokens allow for secure authentiation and authorization to specfic Private respositories.
Secure Acess to your GitHub repository
GitHub does not support basic http authentication to access a private repository. To support programatic access the preferred method is the use of a Personal Access Token. A PAT provides unfettered access to all repositories in your account. I would recommend in most cases to use a Fine-Grained Personal Access Tokens. These provide granular access to individual repository.
To create a new fine-grained Personal Access Token, login to your GitHub Account, and then:
- Click your profile picture from the upper right corner
- Click Settings
- Scroll to the bottom of the navigation pane on the left and click
<>Developer Settings - Click
Personal Access Tokensfrom the navigation pane - Select
Fine-Grained Tokens - Click
Generate New Token
Copy the generated token and store it in a safe place. This will be used in an upcoming section to authenticate the Fortigate
Note:
Ensure that the Fine-Grained PAT has Read access to content and metadata for the repository that will host your Threat Feed Data.
Configure Fortigate to Authenticate using The Fine-Grained Personal Access token (PAT)
As Mentioned above the Fortigate only supports Basic Authentication when connecting to a an external threat feed. The key to this is to configure the fortigate to pass the “Authorization” header along with the PAT. This can be done via the FortiOS CLI.
Configure an External threat Feed from the CLI
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
config system external-resource
edit <name>
set status {enable | disable}
set type {category | address | domain | malware}
set category <integer, 192-221>
set update-method {feed | push}
set username <string>
set password <string>
set comments <string>
*set resource <resource-uri>
set user-agent <string>
set server-identity-check {none | basic | full}
set refresh-rate <integer>
set source-ip <ip address>
set interface-select-method {auto | sdwan | specify}
next
end
The source should be set to the raw file url. The file link will be in the following format: https://raw.githubusercontent.com/<YOUR_USERNAME>/<REPO_NAME>/<Branch_NAME>/FILE_NAME.txt
Set the resource equal to the URL of the raw data file in your private GitHub repository. The “Authorization” header can be appended to the user-agent string using \r\n between them as follows
The documentation stated that the default user-agent string is curl/7.58.0
If the PAT generated is equal to github_pat_11N0TR3A1h576ekyM_xQqR6XlNOASDFsdasdgjn3w3B0Gu5K3y5wYLblX8b7R25DPVL9ZsH51AK you would set the user-agent to:
1
set user-agent = "curl/7.58.0\r\nAuthorization: token github_pat_11N0TR3A1h576ekyM_xQqR6XlNOASDFsdasdgjn3w3B0Gu5K3y5wYLblX8b7R25DPVL9ZsH51AK"
Sample Configuration
1
2
3
4
5
6
7
config system external-resource
edit "Malicious_Domains"
set type=domain
set resource = "https://raw.githubusercontent.com/GitHubAcct/ThreatFeeds/main/Domains.txt"
set user-agent "curl/7.58.0\r\nAuthorization: token github_pat_11N0TR3A1h576ekyM_xQqR6XlNOASDFsdasdgjn3w3B0Gu5K3y5wYLblX8b7R25DPVL9ZsH51AK"
next
end
Closing
The fortigate will perform a regular download based on the refresh-rate configured (Default 5 min). Objects ingested are accessed via firewall policies and security profiles
| Feed Type | Fortigate Object | Accessed Via |
|---|---|---|
| Category | Web Filter Category (Remote Category) | Web Filter Profile |
| Address | Address Group Object | Firewall Policy |
| Domain | DNS Category (Remote Category) | DNS Profile |
| Malware | External malware block list | Enable in AV Profile |
Confgure security profiles or firewall policies to block the objects ingested from threat feeds. It is important to ensure global block policies are at the top of the Firewall policy list to ensure that all addresses in the feeds are blocked before any other policy allows the traffic.
I hope to put together a quick tutorial video and adding it to my YouTube Channel soon. Once this is done I will add a link here as well.