Troubleshooting Tip: Monitoring script for FortiGate Threat Feed connector using Tera Term
| Description | This article describes the steps to monitor the statistics of the FortiGate external threat feed connector for further troubleshooting purposes. |
| Scope | FortiGate. |
| Solution | At times, it is uncertain whether the issue resides on FortiGate or the external threat feed provider server. The commands to monitor the changes on FortiGate external threat feed statistics are as below:
diagnose sys external-address-resource list fnsysctl ls -la /var/log/external
An issue may occur randomly, causing traffic to be permitted/denied when the entry is not in the external connector resource list. In the following example, the IP addresses 183.134.59.133-183.134.59.134 are being listed as a Malicious Website.
The IP address has been verified to exist in the threat feed connector configured:
FG6H0E-1 # diagnose sys external-address-resource list "TF_Connector" | grep 183.134.59.133
However, the traffic was somehow being observed to get permitted from time to time despite being configured in the firewall policy with a deny action:
To identify the issue, a monitoring script was deployed to collect the commands stated above along with the date. From the output of the script, it was noticed that the update from the third-party threat feed server has not been providing a stable IP list due to connections with other third-party services.
The following statistics are being observed when the full list is being updated from the external threat feed server to FortiGate:
FG6H0E-1 # diagnose sys external-address-resource list List of external address resources: name:TF_Connector, uuid-idx:1889, num of ipv4/ipv6 ranges:192885/0, used:yes FG6H0E-1 # diagnose sys external-address-resource list "TF_Connector" | grep 183.134.59.133 183.134.59.133-183.134.59.134 FG6H0E-1 # fnsysctl ls -la /var/log/external drwx------ 2 0 0 Thu Nov 27 03:36:14 2025 0 . drwxr-xr-x 12 0 0 Tue Nov 25 15:14:27 2025 0 .. -rw-r--r-- 1 0 0 Thu Nov 27 03:36:15 2025 3058441 ext-98402f58-c9cf-51f0-633f-83b778eaa61e -rw-r--r-- 1 0 0 Thu Nov 27 03:36:15 2025 12 ext-98402f58-c9cf-51f0-633f-83b778eaa61e.count -rw-r--r-- 1 0 0 Thu Nov 27 03:36:15 2025 33 ext-98402f58-c9cf-51f0-633f-83b778eaa61e.csum -rw-r--r-- 1 0 0 Thu Nov 27 03:36:15 2025 8 ext-98402f58-c9cf-51f0-633f-83b778eaa61e.stats
However, when the traffic was reported as being allowed, it was noticed that the threat feed server provided a smaller list, and the Malicious IP was not being installed in FortiGate. The resource file that has been installed in FortiGate also indicates a drastic drop in file size:
FG6H0E-1 # diagnose sys external-address-resource list List of external address resources: name:TF_Connector, uuid-idx:1889, num of ipv4/ipv6 ranges:66272/0, used:yes FG6H0E-1 # diagnose sys external-address-resource list "TF_Connector" | grep 183.134.59.133 -----> IP does not exist in the list. FG6H0E-1 # fnsysctl ls -la /var/log/external drwx------ 2 0 0 Thu Nov 27 09:02:44 2025 0 . drwxr-xr-x 12 0 0 Tue Nov 25 15:14:27 2025 0 .. -rw-r--r-- 1 0 0 Thu Nov 27 09:02:44 2025 1073330 ext-98402f58-c9cf-51f0-633f-83b778eaa61e -rw-r--r-- 1 0 0 Thu Nov 27 09:02:44 2025 12 ext-98402f58-c9cf-51f0-633f-83b778eaa61e.count -rw-r--r-- 1 0 0 Thu Nov 27 09:02:44 2025 33 ext-98402f58-c9cf-51f0-633f-83b778eaa61e.csum -rw-r--r-- 1 0 0 Thu Nov 27 09:02:44 2025 8 ext-98402f58-c9cf-51f0-633f-83b778eaa61e.stats In this scenario, it would be necessary to confirm if the external threat feed server is stable and if the list is constantly available for polling. FortiGate external threat feed list will change according to the records according to the source URL configured. Do note that there is no connectivity failure in this scenario. FortiGate will not delete the list unless a reboot has occurred on the FortiGate when a connection failure happens between the external threat feed server and FortiGate. For further information, refer to this article: Technical Tip: Threat feed list behavior when connection failed between FortiGate and threat feed URL. The attached monitoring script will run the necessary commands at an interval of 300 seconds. Fine-tuning the interval is required to monitor issues that recover in a short time.  The command to run diagnose sys external-address-resource list <Threat feed connector name> | grep x.x.x.x is disabled by default. Remove the leading semicolon on lines 24 and 25 to activate the monitoring. Refer to the article Troubleshooting Tip: High memory and High CPU general script using Tera Term for steps to download Tera Term and configure logging for investigation purposes. In the script ThreatConnector_1.1.ttl, an enhancement has been made to automatically store the output in the folder "C:\FTNTTACDebug". Amend the folder location accordingly if the storage location is preferred to be in another location: 
For example:
dpath = 'D:\FTNTTACDebug' |
