FortiGate Threat Feeds – Difference Between FortiGuard Category and IP Address

Security Fabric of FortiGate is the most promising feature in the latest FortiOS version. This feature performs dynamic security updates and automates several repeated tasks of firewall administrators, thus eliminates need of manual intervention in several aspects.

In this article, we mention about two features of Fabric Connector – FortiGuard Category and IP Address. Both reads a text file of IP addresses and serve same purpose but they act differently while FortiGate inspects packets.

 

Are you looking to create a text file with list of IP Address and easily manage with a front end tool?

Download our Firewall Feed tool for free.

 

Difference Between FortiGuard Category and IP Address of FortiGate Security Fabric.

FortiGuard CategoryIP Address
Reads text file containing IP address on specific intervals and updates its entries.Reads text file containing IP address on specific intervals and updates its entries.
The newly created FortiGuard Catgory appears in"Web Filter" profiles under Remote Catgory . Action can be defined either as Allow, Block, Monitor, Warning, Authenticate or Customized One.

This Web Filter has to be assigned to a security IPv4 profile to take effect.
The newly created IP Address Feed needs to be added in "DNS Filter" under External IP Block Lists. By default, Action is set as Block.

This DNS Filter profile has to be assigned to a IPv4 security policy to take effect.
When a traffic with destination IP address matches the list entry, FortiGate takes action that is defined.Whenever firewall resolves DNS requests (www.ransome.com), the resolved IP address (2.2.2.1) is matched against the list. If there is a match, firewall blocks the request.

If client is directly hitting the IP address on the browser (http://2.2.2.1) instead of DNS name, even if this IP address matches in the list entry, the security rule will not be applied. And client request will be allowed and not blocked.

Hence the firewall rule of this Security Fabric feature is only applied when client makes DNS queries.