asn-threat-feeds

ASN Threat Feeds

This repository publishes automatically updated, FortiGate-compatible IP address feeds derived from live BGP announcements for a defined set of Autonomous Systems (ASNs).

All feeds are plain-text CIDR lists intended for use with FortiGate External Dynamic Lists (Threat Feeds).

---

Scope

The feeds in this repository cover the following ASNs:

• AS19318 (Interserver)
• Additional ASNs as configured in the GitHub Actions workflow

The ASN list is controlled by the ASNS environment variable in the workflow.

---

Published Feeds

Feeds are hosted over HTTPS using GitHub Pages.

Base URL:

https://dfratiani.github.io/asn-threat-feeds/

Per-ASN Feeds

Each ASN produces three files:

IPv4 only: https://dfratiani.github.io/asn-threat-feeds/feeds/<asn>_ipv4.txt

IPv6 only: https://dfratiani.github.io/asn-threat-feeds/feeds/<asn>_ipv6.txt

IPv4 + IPv6 combined: https://dfratiani.github.io/asn-threat-feeds/feeds/<asn>_all.txt

Example: https://dfratiani.github.io/asn-threat-feeds/feeds/as19318_ipv4.txt

---

Combined Feeds (All ASNs)

The following feeds combine all configured ASNs into a single list:

IPv4 combined: https://dfratiani.github.io/asn-threat-feeds/feeds/combined_ipv4.txt

IPv6 combined: https://dfratiani.github.io/asn-threat-feeds/feeds/combined_ipv6.txt

IPv4 + IPv6 combined: https://dfratiani.github.io/asn-threat-feeds/feeds/combined_all.txt

Each file contains one CIDR per line with no headers or comments.

---

How Feeds Are Generated

• Prefixes are retrieved using public routing telemetry for announced BGP prefixes per ASN
• Feeds are generated by: scripts/build_multi_asn_feeds.py
• Updates are automated using: .github/workflows/update-feeds.yml
• The workflow:
  • Pulls current ASN prefixes
  • Normalizes and de-duplicates CIDRs
  • Writes updated feed files
  • Commits changes only if content differs
• GitHub Pages publishes the committed feed files

---

Configuration

Managed in the GitHub Actions workflow environment:

ASNS
Comma-separated list of ASNs to include.
Example:
AS19318,AS13335,AS15169

MIN_PEERS
Minimum number of BGP peers that must see a prefix before including it.
Default is 10.

START_DAYS / END_DAYS
Optional time window for BGP data.
If unset, the API default rolling window is used.

---

FortiGate Integration

Create a Threat Feed (IPv4 example)

config system external-resource
    edit "ASN_Combined_IPv4"
        set type address
        set resource "https://dfratiani.github.io/asn-threat-feeds/feeds/combined_ipv4.txt"
        set refresh-rate 1440
        set status enable
    next
end

Optional IPv6 Feed

config system external-resource
    edit "ASN_Combined_IPv6"
        set type address
        set resource "https://dfratiani.github.io/asn-threat-feeds/feeds/combined_ipv6.txt"
        set refresh-rate 1440
        set status enable
    next
end

Example Firewall Policy

config firewall policy
    edit 0
        set name "Deny_Target_ASNs"
        set srcintf "any"
        set dstintf "any"
        set srcaddr "all"
        set dstaddr "ASN_Combined_IPv4"
        set action deny
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
end

---

Verification

On FortiGate:

diagnose sys external-resource list
diagnose sys external-resource status

Successful output should show:

• status: connected
• entries: greater than 0

---

Repository Layout

.
├── feeds/
│   ├── <asn>_ipv4.txt
│   ├── <asn>_ipv6.txt
│   ├── <asn>_all.txt
│   ├── combined_ipv4.txt
│   ├── combined_ipv6.txt
│   ├── combined_all.txt
│   └── exclusions.txt
├── scripts/
│   └── build_multi_asn_feeds.py
└── .github/
    └── workflows/
        └── update-feeds.yml

The feeds directory is intentionally committed and should not be ignored.

---

Exclusions (Optional)

To permanently exclude specific prefixes from all feeds, create feeds/exclusions.txt with one CIDR per line. Lines starting with # are treated as comments and inline comments are allowed as well.

• Exclusions are subtracted from every per‑ASN feed and from the combined feeds.
• Subtraction is performed at CIDR granularity; larger input blocks are cleanly split to omit any excluded sub‑ranges.

---

Troubleshooting

404 on feed URL:

• GitHub Pages may not be enabled
• Pages must publish from branch “main” and folder “/”

FortiGate shows disconnected:

• Verify DNS and HTTPS egress from FortiGate to github.io

Entries equal 0:

• Feed file may be empty or malformed
• Ensure one CIDR per line and no extra text

Workflow runs but no commits:

• Indicates no BGP changes since last run

---

Operational Notes

• All feed updates are version-controlled via Git
• No manual edits to feed files are required
• This design avoids FortiGate object limits
• Feeds automatically track ASN routing changes

---

Ownership

Owner: Dennis Fratiani Jr.

Change requests or additions should be made via pull request or workflow update.