Technical Tip: How to configure STIX2.0 external threat feed server in FortiGate
Description
This article explains how to configure the STIX2.0 external threat feed server in FortiGate.
Scope
FortiGate, an External Threat feed server.
Solution
Log on to any external threat feed server with user credentials.
Step 1:
- Select the feed that needs to be configured on the FortiGate firewall and obtain a STIX 2.0 link and a key by navigating to more information on the selected feed. The key will act as a username when configuring an external threat feed server in a FortiGate firewall. Example:https://otx.alienvault.com/otxapi/pulses/668cc34398c8a69a93af9ec2/export/?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InNoYWlrMzEzMi IsInZhbHVlIjpbIjY2OGNjMzQzOThjOGE2OWE5M2FmOWVjMiIsInN0aXgyLjAiXSwiZXhwIjoxNzM0NTA0NDgzfQ.DKB1ZpATDMNZAbi1WvEyCE26IM3Pq7ozChCsOe_POGM&format=stix2.0
- To obtain the actual link, which must be configured on the FortiGate, take out the red-marked token value from the preceding URL: stix://otx.alienvault.com/otxapi/pulses/668cc34398c8a69a93af9ec2/export/?&format=stix2.0
Step 2:
- Configure an external Threat feed server in FortiGate by navigating to Security Fabric -> external connectors -> Scroll down to locate threat feeds and select the FortiGuard category.
- In connector settings, configure the threat feed server with STIX link and user key as username as shown below.
- Once configured, the FortiGate will pool feeds from the server.
The logs below can be collected to identify the issue further if it gives the same error.
exec ping <external threat feed server IP>
Putty2:
dia sniffer packet any "host x.x.x.x" 6 0 a
Putty3:
dia de reset
dia de app forticron 0xf00
dia de console timestamp enable
dia de enable