Technical Tip: Threat feed list behavior when connection failed between FortiGate and threat feed URL

This article illustrates FortiGate behavior on the threat feed list when the connection between FortiGate and the threat feed list URL fails.

1. To configure the threat feed list, refer to the following document: Threat feeds.

2. When the connection from FortiGate to the respective URL is successful, the user will be able to view the number of entries via the GUI:

3. However, if the connection to the threat feed URL fails, the entries would show 'Resource file not found' an empty list will be visible when 'View Entries' is selected.

4.  Although the GUI is not showing any entries, that does not mean that FortiGate does not contain the list of the threat feed list.

    

This can be verified via the following command in the CLI:

diagnose sys external-address-resource list

diagnose sys external-address-resource list <Connector_Name>

The list is still stored in the resource list, despite the GUI showing that there is no result.

The reason is that the GUI is the result of the live query, but the records can only be checked in the CLI.

Note: If the FortiGate loses connectivity with the external server, the threat feed will continue to function despite the Connection Status error or reboot. However, the threat feed will not be updated and no new entries will be added until the connection is re-established.

Note: If an entry such as 0.0.0.1 - 31.255.255.254 is present (e.g., 31.244.244.233/2), it represents a very large subnet.

Before adding any IP address to a policy or object group, ensure the subnet is accurate. Using an overly broad subnet (like /2) can unintentionally include many unrelated IPs, leading to network-wide access blocks or outages.