Here is the basic guide for putting SSL VPN on Loopback (you just have to adapt to your needs)
Then you can make normal firewall rules with all objects like thread feeds, ISDB, …
The thread feeds you can just add as external connectors and use then in normal firewall policies too.
From ISDB i usually block:
Yes we have geo restrictions in place. We have other threat feeds as well and this internal one is for any of those these don’t catch, like web hosting companies in our country.
i’m currently over 62,000 subnets, some as large as /10
https://github.com/wallacebrf/dns/blob/main/asn_block1.1.txt
u/welcome2devnull Thanks for the screenshot. I have updated my ISDB now with your list.
Still getting hammered by these scan and they are using our user first.last name possible getting info from LinkedIn.
Thanks! For the OCD in some of us, here is a script that will clean up and order the IPs from lowest to highest.
$list = Get-Content ASNLIST.txt
$ips = $list | where-object {$_ -notlike "*:*"}
$sortedaddresses = $ips |
Where-Object { $_.Substring(0, $_.length -3 ) -as [version] } |
Sort-Object { [version] $_.Substring(0, $_.length -3 ) }
$sortedaddresses | Out-file CleanedFeeds.txt
This works with IPv4 addresses, so it removes IP6 addresses from the list first. If you have IP6 traffic configured to flow through your interfaces, you might want to filter them out yourself first. The script will order the IPs based on their x.x.x.x numbering while ignoring the subnet details /xx but that data will be preserved in the output.
This script also sorts massive numbers of IP’s quickly. Much faster than using loops in PS.
Also have another short bit of code that compares my feeds and automatically removes duplicates. Organized and Audited. 
Check some of the IP addresses and who owns them - maybe just some datacenter which gets abused and you could just add the whole datacenter ip range to a deny policy.
If they use your users first / last name it’s more targeted against you - what i described before keeps away mainly that bot networks trying random usernames / passwords and just spam your logfiles. Targeted attacks are often more sophisticated but with datacenter blocking you might make their life harder too.
Nice, I do use both the IPV4 and IPv6 address and the fortigate automatically sorts the addresses into v4 and v6 threat feeds