Use SpamHaus threat feeds with Fortigate

29th June 2021

SpamHaus is a well known service that keeps a curated downloadable list of Internet offenders.

to see a link to the list https://www.spamhaus.org/drop/

You can see the DROP list and EDROP list in the left column
just for reference these are
https://www.spamhaus.org/drop/drop.txt
https://www.spamhaus.org/drop/edrop.txt

Logon to your Fortigate firewall and navigate to Security Fabric, External Connectors and click Create New

Scroll to the bottom and choose FortiGuard Category, under Threat Feeds

Enter a Name, paste your link copied from above, no auth is required, and set a reasonable refresh rate

Now in Security Profiles, Web Filter you can see the lists that were added under Remote Categories heading. They default to Disabled and they need to be set to Block or Warning to be effective.

If the Fortinet filters have expired there is another way to do this. Turn off the FortiGuard Category based filters and enable an External IP Block list. I had to create the block list again as it wouldn’t let me re-use an existing one.
https://www.spamhaus.org/drop/drop.txt
WARNING Spamhaus is in the process of replacing this .TXT list with a .json list which is not supported by Fortinet firewalls v7.2.x may be supported on later versions.