Feed a real-time IP blocklist directly into your FortiGate firewall via the External Connector threat feed. Block brute force bots before they touch your SSL-VPN portal.
Start Blocking Attacks -- $9.99/moFortiGate SSL-VPN portals are among the most targeted VPN endpoints on the internet. Automated bots test credentials around the clock, exploiting publicly exposed login pages.
Fortinet is the world's most deployed firewall. Attackers know that SSL-VPN portals respond on port 443 and can be fingerprinted easily. Large-scale credential-stuffing campaigns specifically target FortiGate login endpoints, and CVEs like the infamous pre-auth vulnerabilities make unpatched units especially attractive targets.
Instead of waiting for failed login events to trigger lockouts, ThreatListPro preemptively blocks IPs that have been observed attacking VPN portals globally. Your FortiGate downloads the blocklist as an External Connector feed and denies traffic at the firewall level -- no SSL handshake, no login page rendered, no resources consumed.
Configure ThreatListPro as an External Connector threat feed in FortiOS. Works with FortiOS 6.2 through 7.4.
Sign up at threatlistpro.com and copy your unique feed URL from the dashboard:https://feed.threatlistpro.com/v1/edl/YOUR_API_KEY
In FortiOS, navigate to Security Fabric > External Connectors. Click Create New and select Threat Feed > IP Address. Name it ThreatListPro, paste the feed URL, and set the refresh rate to 5 minutes.
Go to Policy & Objects > Firewall Policy. Create a new policy with source set to the ThreatListPro threat feed object, destination set to your SSL-VPN interface (typically wan1), and action set to Deny. Place this policy above your SSL-VPN access policy.
For traffic destined to the FortiGate itself (like the SSL-VPN portal), use a local-in policy via CLI:config firewall local-in-policy
This ensures the blocklist applies to management-plane traffic, not just transit traffic.
Navigate to Security Fabric > External Connectors, click on ThreatListPro, and verify the entry count. You should see tens of thousands of IPs loaded. Check Log & Report > Forward Traffic to confirm deny actions.
Compare automated VPN-focused blocking against other defense strategies for your FortiGate firewall.
| Feature | ThreatListPro | Manual Blocking | Enterprise Threat Feeds |
|---|---|---|---|
| VPN brute-force focused | ✓ | ✗ | ✗ |
| Real-time updates (60s) | ✓ | ✗ | ✓ |
| FortiOS threat feed compatible | ✓ | ✗ | ✓ |
| No scripting or automation needed | ✓ | ✗ | ✓ |
| Setup in under 5 minutes | ✓ | ✗ | ✗ |
| Price | $9.99/mo | Staff time | $500+/mo |
In FortiOS, go to Security Fabric > External Connectors and create a new Threat Feed of type IP Address. Paste your ThreatListPro feed URL and set the refresh rate to 5 minutes. Then reference this threat feed object in a firewall policy to deny traffic from listed IPs to your SSL-VPN portal.
Yes. ThreatListPro is fully compatible with FortiOS 7.0, 7.2, and 7.4. The threat feed connector feature has been available since FortiOS 6.2, so even older firmware versions are supported. The feed is served as a standard plaintext IP list.
Combine ThreatListPro's automated blocklist with FortiGate's built-in login attempt limits. Add the ThreatListPro threat feed as an external connector, then create a local-in policy that denies traffic from the feed to your SSL-VPN interface. This blocks known attackers at the network layer before they can attempt any logins.
Block credential-stuffing bots automatically. No scripts, no log parsing, no manual effort.
Get ThreatListPro -- $9.99/moThreatListPro provides a standard IP blocklist feed compatible with any firewall that supports external lists.
Learn more about IP blocklists, VPN security, and how ThreatListPro compares to alternatives.