Skip to main content
msanjaypadma
Staff
msanjaypadma
Staff
February 7, 2022

Technical Tip: External threat list (threat feed) is not working (connector is showing down)

  • February 7, 2022
  • 0 replies
  • 9983 views
Description

This article describes how to troubleshoot external threat feed connectors that a 'down' status.

 

1234.png
Scope FortiGate.
Solution
  1. Check connectivity issue between FortiGate device and webserver using sniffer and debug command towards destination server IP address:

 

diagnose sniffer packet any "host x.x.x.x" 4 0 a <----- Replace x.x.x.x  with destination web-server IP address.

 

For the detail analysis use the below commands:

diagnose debug disable
diagnose debug reset
diagnose debug console timestamp enable
diagnose debug flow show function-name enable
diagnose debug flow show iprope enable
diagnose debug flow filter addr x.x.x.x   <------ Replace x.x.x.x with the destination IP of the communication.
diagnose debug flow trace start 9999
diagnose debug enable

After running the above commands, wait for traffic to get generated by re-enabling the external threat feed connector. If the status shows down, or traffic logs are generated, stop the debug using the below command:

diagnose debug disable

 

  1. Verify which IP address of the firewall is whitelisted in the Webserver to access the hosted file.

  2. Under some circumstances, FortiGate might be using a different IP address that is not whitelisted at the web server (lower index interface IP address as source IP address).

  3. Then it is possible to manually specify the source IP address in the external threat feed configuration.

     

    config system external-resource
        edit <name>

            set source-ip <y.y.y.y>   <----- Where y.y.y.y is source IP address.
        next
    end

     

  4. After setting a source IP address in the threat feed, check the traffic flow and check the status of the threat feed. 

  5. If SD-WAN is configured, change the interface-select-method from auto to SD-WAN:

 

config system external-resource

    edit <name of external connector>

        set interface-select-method

 

auto: Set outgoing interface automatically.

sdwan: Set outgoing interface by SD-WAN or policy routing rules.

specify: Set the outgoing interface manually.

 

Note: 

 

Starting from v7.6.4 GA, there is a new CLI option called 'set source-ip-interface'  which allows the user either to choose an actual IP address as in 'source-IP' or pick an interface name under the 'source-ip-interface'.

 

     config system external-resource

      edit IPv4_list

    set source-ip-interface
         <string> <----- Input string value.
         VPN1 interface
          VPN2 interface
          fortilink interface
          l2t.root interface
          loopback interface
          naf.root interface
          port1 interface
          port2 interface
          port3 interface
          port4 interface
          port5 interface
          port6 interface

 

config system external-resource
    edit "IPv4_list"
        set uuid a702efd4-aa95-51f0-e5ce-bf19ddd5c61f
        set category 193
        set resource "https://192.168.66.4/ipv4_list"
        set source-ip-interface "port2"
    next
end

 

Related articles:

Troubleshooting Tip: How to Troubleshoot external threat feed server not connecting

Troubleshooting Tip: External connector threat feed connection status 'Not start'
Technical Tip: Threat feed list behavior when connection failed between FortiGate and threat feed URL
    Terms & ConditionsAccessibility statement