This article shows how to create an external block list using Fortigate by Fortinet to generate automatic block lists with the adversaries found by Lumu in your infrastructure.

Requirements

• Fortigate by Fortinet version 6.2 or higher.
• A Lumu Defender subscription

Add Integration

1. Log in to your Lumu account through the Lumu Portal, navigate to the Integrations screen and select the Response tab.

2. Locate the FortiGate integration in the available apps area and then click Add.

3. Familiarize yourself with the integration details available in the app description and click Activate.

4. To generate the integration URLs, select the Threat feeds integration mode, add a description, and select the threat types you want to include in the list. You can also generate a list of compromised IPs addresses and a list of Hashes.

5. Once you create the integration, you’ll be provided with the integration URLs to block domains, URLs, IP addresses, and hashes. These will be added to configure threat feeds within Fortinet’s environment.

Deleting an integration will cause URLs to be removed. This action cannot be undone. To reintegrate, you will have to configure the integration again and update your FortiGate configuration.

Set Up FortiGate

To set up your instance of Fortigate you will need to

• Set Up Threat Feeds
• Reference Lumu External Feed in Policies

Set Up Threat Feeds

Now that you have the integration URLs, it’s necessary to configure your instance of FortiGate. After activating the module, you need to allow the use of the External Connectors modules. Go to Security Fabric > New External Connector and locate the Threat Feeds section.

You can add a new FortiGuard Category, a new IP Address, or a new Malware Hash Threat Feed based on the configuration keys given at the moment of configuring the integration.

Add a FortiGuard Category Threat Feed

1. Under External Connectors > Threat Feeds, select FortiGuard Category.

2. In the Connector Settings section, add the Domains & URLs provided by Lumu in the URL of external resource field.

3. Disable HTTP basic authentication.

4. Configure the refresh interval of the connector. This interval must be entered as a value in minutes. Lumu advises setting it to 360 minutes (6 hours).

Add a Domain Name List

1. Under External Connectors > Threat Feeds, select Domain Name.

2. In the Connector Settings section, add the Domains & URLs provided by Lumu in the URL of external resource field.

3. Disable HTTP basic authentication.

4. Configure the refresh interval of the connector. This interval must be entered as a value in minutes. Lumu advises setting it to 360 minutes (6 hours).

Add an IP Address Threat Feed

1. Under External Connectors > Threat Feeds, select IP Address.

2. In the Connector Settings section, add the Compromised IPs URL provided by Lumu in the URL of external resource field.

3. Disable HTTP basic authentication.

4. Configure the refresh interval of the connector. This interval must be entered as a value in minutes. Lumu advises setting it to 360 minutes (6 hours).

Add a Malware Hash List

1. Under External Connectors > Threat Feeds, select Malware Hash.

2. In the Connector Settings section, add one of the Hash URLs provided by Lumu as the URL of external resource field.

3. Disable HTTP basic authentication.

4. Configure the refresh interval of the connector. This interval must be entered as a value in minutes. Lumu advises setting it to 360 minutes (6 hours).

You can create a Malware Hash External Connector for each hash type.

Reference Lumu External Feeds in Policies

You must use the newly created Lumu External Feeds in Firewall policies or Security Profiles.

Use the URL category in a Web Filter policy

Add the URLs and domains to be blocked by creating or editing a new Web Filter and Firewall Policy.

Use the IP List in a Firewall Security Policy

Create a new Firewall Policy or edit an existing one to block IP addresses from the Lumu IP threat feed.

Use the Malware Hash lists in an Antivirus Profile

Create a new AntiVirus Profile or edit an existing one to use the Lumu External Malware Block lists.

Use the Domain List in a DNS Filter profile

Create a New DNS Filter Profile or edit an existing one to use the Lumu External Domain list.

Further steps

Bear in mind that the configuration of the policy and security profiles is highly dependent on your environment’s characteristics and licensing. The configuration must be done according to your business needs.

For more information on how to carry out this procedure, please refer to FortiGate’s official documentation.