Vesper Secure
VESPER SECURE
Documentation • FortiGate Integration

Fortinet • FortiGate • IP Threat Feed

Integrate Vesper Secure with Fortinet FortiGate

This guide walks you through importing Vesper certificates, creating an IP Address threat feed that pulls your Vesper allow-list, and applying it safely in a firewall policy.

What you’ll configure

  • • Import Vesper CA certificates
  • • Create an IP Address Threat Feed (external list)
  • • Use the feed in a firewall policy (best-practice rollout)

What you’ll need

  • • Your Organization UUID
  • • Your Vesper list password (from the Policies tab)
  • • Admin access to FortiGate (GUI or CLI)

Note on FortiOS versions

Menu labels vary slightly across FortiOS versions. If you don’t see External Connectors, enable it under Feature Visibility. Some vendor guides note you may need to enable External Connectors to create Threat Feeds under Security Fabric.

Recommended approach

Clone → test → cut over

Create a new policy rule that references the Vesper feed, validate it works, then remove/retire the old rule.

1

Import certificates

2

Create IP Address Threat Feed

3

Apply in policy (safely)

Step 1

Import Vesper CA certificates

Import the Vesper Root and Intermediate certificates into FortiGate so it can validate the Vesper list endpoint and establish a trusted HTTPS connection.

🔒

Download certificates

Download both certificates to your admin workstation before you begin.

VesperSecure Root Certificate

Download (.crt)

Download

VesperSecure Intermediate Certificate

Download (.crt)

Download

Import into FortiGate

  1. 1) In the FortiGate GUI, go to System → Certificates.
  2. 2) Select Import (or Create/Import) → CA Certificate.
  3. 3) Set Type to File, then upload the certificate file.
  4. 4) Repeat for both the Root and Intermediate certificates.

Step 2

Create an IP Address Threat Feed (external list)

FortiGate can pull a dynamic IP list from an external resource and use it in policies. The most common workflow is creating an IP Address threat feed under Security Fabric → External Connectors and pointing it to the Vesper list URL.

🧱

GUI setup (recommended)

  1. 1) Go to Security Fabric → External Connectors.
  2. 2) Click Create New (or New).
  3. 3) Under Threat Feeds, select IP Address.
  4. 4) Set a clear Name (example: VesperSecure_AllowList).
  5. 5) Set URL of external resource to:
    https://list.vespersecure.com/<ORGANIZATION_UUID>

    You can copy your Organization UUID and list link from the Vesper Secure Admin Console (Policies tab).

  6. 6) Set Refresh interval to 5 minutes (strongly recommended).
  7. 7) Configure authentication (if prompted):
    • Username: your Organization UUID
    • Password: your list password (can be regenerated in Vesper Admin Console → Policies)
  8. 8) Click OK / Save.

CLI example (optional)

Some deployments prefer CLI or expose additional knobs there. Use this as a reference and align fields to your FortiOS build.

Example

config system external-resource
  edit "VesperSecure_AllowList"
    set type address
    set resource "https://list.vespersecure.com/<ORGANIZATION_UUID>"
    set refresh-rate 5
    set username "<ORGANIZATION_UUID>"
    set password "<VESPER_LIST_PASSWORD>"
  next
end

Tip: If your FortiOS uses slightly different field names, mirror your device’s CLI help output.

Step 3

Apply the feed in your firewall policy (best practice)

Use the Vesper threat feed as the Source in a new rule that gates access to your VPN-facing services. Roll out safely: clone first, test, then cut over.

Clone your existing VPN access rule

  1. 1) Navigate to your firewall policies (commonly Policy & Objects → Firewall Policy).
  2. 2) Identify the policy that currently allows access to your VPN portal/gateway or exposed service.
  3. 3) Clone the rule and place the cloned rule above the original.
  4. 4) Rename the cloned rule (example: VPN-Allow-Vesper).

Set Source to the Vesper feed + add safe static IPs

  1. 1) Edit the cloned policy.
  2. 2) In Source, replace broad sources (like all) with the Vesper threat feed object (or an address group that contains it).
  3. 3) Strongly recommended: add a few static safe IPs as additional sources, such as:
    • Organization-owned public IP ranges
    • Known admin home IPs (if administrators work remotely)
  4. 4) Save, then test thoroughly before disabling/removing the original rule.

Best-practice warning

Firewall policy changes can cause lockouts and outages. Always test the new rule (and your feed updates) before removing the original rule. Keep a rollback plan and out-of-band access available.

Troubleshooting checklist

If the feed won’t populate or policy doesn’t behave as expected, check the basics first.

Connectivity

  • • FortiGate has DNS + outbound HTTPS to list.vespersecure.com
  • • Correct egress interface / SD-WAN path (if applicable)

Auth / URL

  • • URL contains the correct Organization UUID
  • • Username = Organization UUID
  • • Password matches the current list password

Certificates

  • • Root + Intermediate CA certs imported
  • • System time is correct (TLS validation depends on it)
  • • If using strict server validation, ensure the cert chain is trusted

Next: User instructions

Once your FortiGate policy enforcement is in place, distribute the user guide so users know how to authenticate and what to expect.

Open User Instructions Back to Docs Home