// Why External Resources

FortiOS has a feature called a system external-resource — surfaced in the GUI as a Threat Feed under External Connectors. It fetches a remote list on a schedule and exposes it as a dynamic firewall address object you can drop into any policy. Point one at a plain-text CIDR list from asn.ipinfo.app and you get block / allow rules that stay current with an ASN's announced prefixes — no scripts on the FortiGate, no manual copy-paste, no stale lists.

The list re-fetches on the refresh interval you set, so when a provider adds or drops prefixes the change propagates into your policy automatically. It's the same idea as a pfSense URL Table alias, expressed in FortiOS terms.

Block

Deny inbound traffic from datacenter, VPN, or abuse-heavy ASNs at the edge.

Allow

Restrict a management or VIP service to a known cloud or office ASN.

Auto-refresh

The feed re-fetches on a timer — provider prefix changes land without intervention.

// Endpoint

A FortiGate IP-address threat feed expects one CIDR per line in plain text. That's exactly what the list endpoint returns. Replace {asn} with the AS number (with or without the AS prefix — both work):

https://asn.ipinfo.app/api/download/list/AS{asn}

The /api/download/ tree sets a Content-Disposition header so a browser saves it as a file. FortiGate fetches the URL server-side and ignores that header, so the /api/text/list/AS{asn} endpoint returns the identical body and works just as well — use whichever you prefer. The config builder below uses /api/download/.

Find the right ASN: use the main lookup to search by organization name (e.g. "DigitalOcean", "Cloudflare", "OVH") and grab the AS number from the result.

// Config Builder

Enter an AS number and copy the generated FortiOS block straight into your CLI. The object name is filled in automatically from the ASN's registered organization — edit it to taste.

AS number Resource name Refresh rate (min)

FortiOS CLI

Refresh rate is in minutes. 5760 = 4 days, a sensible cadence for ASN data (prefix announcements change on the order of days). The FortiOS valid range is 1–43200 (30 days), default 5.[docs]

Naming: the object name is wrapped in double quotes, so the builder swaps any quotes you type for apostrophes to keep the syntax valid. Keep names short and descriptive — the AS number is the part that identifies the feed.

// CLI Setup

The block the builder produces, annotated. Paste it at the FortiGate CLI (or in a config script) — this example blocks DigitalOcean (AS14061):

config system external-resource
    edit "DigitalOcean - AS14061"     # object name — referenced in policies
        set type address                  # IP address feed (vs domain / category / malware)
        set resource https://asn.ipinfo.app/api/download/list/AS14061
        set refresh-rate 5760            # minutes — 5760 = every 4 days
    next
end

Once committed, the feed appears as a dynamic address object. Reference it in a firewall policy like any other address:

Block inbound traffic from the ASN

config firewall policy
    edit 0
        set name "Block-DigitalOcean-In"
        set srcintf "wan1"                 # your WAN/untrust interface
        set dstintf "any"
        set srcaddr "DigitalOcean - AS14061"  # the external resource
        set dstaddr "all"
        set action deny
        set schedule "always"
        set service "ALL"
    next
end

Block on the WAN/ingress interface. Source-ASN blocks belong where the traffic enters. Putting the resource in srcaddr on an internal-to-WAN policy would match your outbound connections instead — rarely what you want. Order the deny policy above any broader accept policies, since FortiOS evaluates top-to-bottom within an interface pair.

// GUI Setup

Prefer the web UI? Navigate to Security Fabric → External Connectors, click Create New, and pick Threat Feeds → IP Address.[docs] Configure it as follows:

Name	A descriptive identifier — this is the object you'll select in policies. Example: `DigitalOcean - AS14061`.
Status	`Enabled`.
URI of external resource	`https://asn.ipinfo.app/api/download/list/AS14061`
Refresh Rate	Minutes between fetches. `5760` (4 days) is plenty for ASN data.

Save the connector. FortiGate fetches the list immediately; use the View Entries action on the connector card to confirm the CIDRs parsed.[docs] The feed is then available as an address object in the source/destination pickers of any firewall policy.

// Field Reference

type — address

set type address tells FortiOS to treat each line as an IP address, subnet, or range and build a dynamic firewall address from the set. The other feed types — category, domain, malware, and MAC address — cover web-filter categories, FQDN feeds, file-hash feeds, and MAC-address feeds; none is right for a CIDR list.[docs]

resource — the list URL

The full URL to the ASN's CIDR list. FortiGate fetches it over HTTPS on the refresh schedule. The endpoint is CDN-cached, so a tight refresh interval costs nothing upstream — but ASN data changes slowly, so there's little reason to poll more often than daily.

refresh-rate — minutes

Interval between fetches, in minutes (range 1–43200, default 5).[docs] 1440 is daily, 5760 is every four days. ASN prefix announcements typically shift on the order of days to weeks; anything from daily to weekly is fine.

// IPv4 + IPv6

The list endpoint returns mixed IPv4 and IPv6 prefixes in a single response. FortiOS IP-address feeds accept both families — Fortinet's documentation notes an entry "can be an IPv4 or IPv6 address" — so one connector covers your whole address space. Reference the resulting object in firewall policies as you would any other address.

// Use Case — Blocking an ASN

The most common reason to reach for an ASN feed: drop inbound traffic from a network you don't want talking to your edge. Build the external resource (use the builder above), then add one deny policy on the WAN-to-internal pair with the resource as the source. See the CLI Setup section for the full policy block.

Why this beats a static address group: a hand-maintained group of CIDRs goes stale the moment the provider announces a new range. An ASN-backed feed re-fetches on its timer, so coverage tracks the provider's actual footprint with zero maintenance.

// Use Case — Allow-listing

Inverse pattern: lock a service down so only a specific ASN can reach it — e.g. restrict a VIP / management port to a known SaaS or office ASN. Create an accept policy that uses the external resource as the source, then a broader deny policy beneath it for everything else.

Allow only the ASN, deny the rest (policy order matters)

config firewall policy
    edit 0
        set name "Allow-GitHub-Webhooks"
        set srcintf "wan1"
        set dstintf "dmz"
        set srcaddr "GitHub - AS36459"     # external resource
        set dstaddr "webhook-vip"
        set action accept
        set service "HTTPS"
        set schedule "always"
    next
    edit 0
        set name "Deny-Other-To-Webhook"
        set srcintf "wan1"
        set dstintf "dmz"
        set srcaddr "all"
        set dstaddr "webhook-vip"
        set action deny
        set service "ALL"
        set schedule "always"
    next
end

The accept policy must sit above the catch-all deny — FortiOS evaluates policies top-to-bottom within an interface pair and stops at the first match.

// Verify & Refresh

In the GUI, go to Security Fabric → External Connectors, select the connector, and click Edit — the Last Update field shows when the feed last refreshed. Click View Entries to see the CIDRs FortiGate parsed from the list. The feed re-fetches automatically on the refresh interval you set.

If the feed shows no entries: confirm the FortiGate can reach the upstream — it needs working DNS and an outbound route to asn.ipinfo.app over HTTPS. From the CLI, execute ping asn.ipinfo.app, and check that your egress policy permits the device's own traffic.

// Troubleshooting

The resource shows zero entries

Almost always connectivity. The FortiGate fetches the URL itself, so it needs DNS resolution and an outbound path to asn.ipinfo.app over 443. Devices whose own traffic is policy-routed through a downed VPN are the usual culprit. Verify with execute ping asn.ipinfo.app and a manual refresh.

Entry count keeps changing

Expected. ASN prefix announcements ebb and flow as networks grow, acquire ranges, or reorganize. Small day-to-day variation is normal; large swings (10%+) are worth a quick sanity check on the main lookup.

The policy isn't matching

Confirm the resource is on the correct side of the policy (srcaddr for inbound source blocks) and the right interface pair, and that the deny policy sits above any broader accept. The per-policy hit counters in the policy list show which rule traffic is actually landing on.

// What Else

The same list endpoint feeds anything that reads CIDRs from a URL on a schedule — pfSense / OPNsense URL Table aliases (see the pfSense guide), Linux ipset restore-from-URL, MikroTik address-lists, and most enterprise firewalls with a "URL feed" feature.

For Linux-native usage (ipset, iptables, nginx, Apache, Cisco, Juniper), see the main guides page. Building something interesting? Drop us a note.

// Fortinet Documentation

The FortiOS specifics on this page — the external-resource CLI fields, the GUI workflow, and IPv4/IPv6 support — come from Fortinet's official documentation. FortiOS menus and command options shift between releases, so confirm against the version you run:

CLI Reference — config system external-resource — type, resource, and refresh-rate (minutes, 1–43200, default 5).
Admin Guide — IP address threat feed — GUI setup, IPv4/IPv6 support, and View Entries.
Admin Guide — Threat feeds overview — connector types and the Last Update / View Entries workflow.