FortiGate Firewall Integration

Step-by-step guide to configuring the ThreatHive blocklist

Integration Steps
  1. Creating an External Blocklist Connector (ThreatHive):
    1. Log in to the FortiGate GUI.
    2. Navigate to Security Fabric > External Connectors.
    3. Click Create New.
    4. Under Threat Feeds, select IP Address.
    5. Configure the connector:
      • Name: ThreatHive_Blocklist
      • URI of external resource: https://threathive.net/hiveblocklist.txt
      • Authentication: None
      • Refresh Rate / Update Interval: 15 minutes
      • Comments (optional): Malicious IP feed from ThreatHive.net
    6. Click OK to save.
    7. Click VIEW ENTRIES to verify the imported IP addresses.
  2. Apply the External Blocklist in a Firewall Policy:
    1. Navigate to Policy & Objects > IPv4 Policy.
    2. Click Create New.
    3. Configure the policy:
      • Name: Block_ThreatHive_IPs
      • Incoming Interface: Select your internal/LAN interface
      • Outgoing Interface: Select your WAN or upstream interface
      • Source: all (or specify your own objects)
      • Destination: Select ThreatHive_Blocklist
      • Action: deny
      • Log Traffic: Enable logging
      • Adjust additional settings as needed
    4. Click OK to save the policy.
  3. Best Practices:
    • Test the feed in a controlled environment.
    • Monitor updates and adjust intervals if necessary.
    • Combine with additional feeds for improved coverage.