Technical Tip: FortiGate behavior when external threat feed list is empty

To configure the threat feed list, refer to the following document: Threat feeds

For this example, a custom threat feed was configured. It has one IP configured: 8.8.8.8.

diagnose sys external-address-resource list TEST
IPv4 ranges of uuid-idx 15749 (num=1)
8.8.8.8-8.8.8.8

Two test policies were configured: one that blocks traffic that matches the destination IP addresses from the threat feed (8.8.8.8 in this case), and one that allows all traffic:

config firewall policy
    edit 2
        set name "PC-GOOGLE"
        set uuid 3ec5c0e2-d11c-51f0-a6c5-4cff606acb56
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "TEST"
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
end

HUB2 # sh firewall policy 3
config firewall policy
    edit 3
        set name "PC-INTERNET"
        set uuid 5431f176-d11c-51f0-8ccb-9bb485c4273a
        set srcintf "port2"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
    next
end

To test the behavior, traffic towards 8.8.8.8 was generated from a host PC connected to the firewall. As the traffic is matching 8.8.8.8 and the policy has the default action to deny, the traffic is dropped:

id=65308 trace_id=1 func=print_pkt_detail line=5872 msg="vd-root:0 received a packet(proto=1, 10.65.10.32:43->8.8.8.8:2048) tun_id=0.0.0.0 from port2. type=8, c
ode=0, id=43, seq=4362."
id=65308 trace_id=1 func=init_ip_session_common line=6057 msg="allocate a new session-00abddb3"
id=65308 trace_id=1 func=__vf_ip_route_input_rcu line=1991 msg="find a route: flag=00000000 gw-10.5.255.254 via port1"
id=65308 trace_id=1 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=35, len=3"
id=65308 trace_id=1 func=fw_forward_handler line=837 msg="Denied by forward policy check (policy 2)"

As the next step, the threat feed was edited, and the 8.8.8.8 IP address was removed.

diagnose sys external-address-resource list TEST

To test the behavior, traffic towards 8.8.8.8 was generated from a host connected to the firewall. As the Threat Feed was empty, traffic matched Firewall Policy 3 and was allowed.

HUB2 # id=65308 trace_id=1 func=print_pkt_detail line=5872 msg="vd-root:0 received a packet(proto=1, 10.65.10.32:43->8.8.8.8:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=43, seq=4366."
id=65308 trace_id=1 func=init_ip_session_common line=6057 msg="allocate a new session-0000051f"
id=65308 trace_id=1 func=__vf_ip_route_input_rcu line=1991 msg="find a route: flag=00000000 gw-10.5.255.254 via port1"
id=65308 trace_id=1 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=35, len=3"
id=65308 trace_id=1 func=get_new_addr line=1213 msg="find SNAT: IP-10.5.209.19(from IPPOOL), port-60460"
id=65308 trace_id=1 func=fw_forward_handler line=990 msg="Allowed by Policy-3: SNAT"