Skip to main content
Yerlikaya06
Yerlikaya06
New Member
December 16, 2022
Question

I can't delete Malware Hash Threat Feed (Fortigate 600E - release v7.2.3 )

  • December 16, 2022
  • 6 replies
  • 11106 views

I can never delete Security Fabric > External Connectors > Malware Hash - Threat Feed that I created on root user on fortigate 600E device with FortiOS v7.2.3

FortiGate 

6 replies

funkylicious
SuperUser
funkylicious
SuperUser
December 16, 2022

Hi,

Any chance this object is being used somewhere ? You can right click it and View Object Usage.

"jack of all trades, master of none"
    Yerlikaya06
    Yerlikaya06Author
    New Member
    December 16, 2022

    No, there is no usage. i can right click it viewing "Ref. Count=0"

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    December 16, 2022

    In CLI, type

    show full | grep -f "threat\|malware\|connector"

     

    or the like, to get to the config part where this has been mentioned.

    A quick before-after comparison of your config files would also be helpful.

      Yerlikaya06
      Yerlikaya06Author
      New Member
      December 16, 2022

      I ran the above command in the CLI but didn't see anything significant so that I could delete the "malware hash".

      ede_pfau
      SuperUser
      ede_pfau
      SuperUser
      December 16, 2022

      Just added it to my FGT and got this (single) place in the config which changed:

       

      config system external-resource     edit "myMalwareHash"         set type malware         set username "ede_pfau"         set password ENC 022...UtwQ==         set comments "bla"         set resource "http://www.mywebserver.de/myhashfile"     next end

      So, a simple

      config system external-resource     del "myMalwareHash" end

      should do.

        Yerlikaya06
        Yerlikaya06Author
        New Member
        December 16, 2022

        Thanks a lot for your help. When i try to delete i get the following errors; 

        CLI;

        1.png

        GUI;

        2.png

        funkylicious
        SuperUser
        funkylicious
        SuperUser
        December 16, 2022

        Just a thought, have you tried disabling it before trying to delete it ?

        "jack of all trades, master of none"
        pminarik
        Staff
        pminarik
        Staff
        December 16, 2022

        Go through all of your antivirus profiles, check if they have "Use external malware block list" enabled. It can either be an explicit list of individual feeds, or all of them. (in which case the reference to the feed you want to delete would not show up in the CLI)
        If that's the case, disable the option altogether, or switch to specific feeds and ensure the one you want to delete isn't in the selected list.

         

        edit: make sure to check (and possibly change) this through the CLI as well. "external-blocklist-enable-all" seems to be enabled in the CLI by default but not displayed in the GUI, at least in 7.0.x that I have checked. (maybe a GUI bug)

          Yerlikaya06
          Yerlikaya06Author
          New Member
          December 16, 2022

          I went through all the antivirus profiles. There are currently 4 antivirus profiles (all default antivirus profiles that come with Fortigate). "Use external malware block list" option is not active in any of the security profiles (Antivirus, web filter, video filter, DNS filter etc.), it is not using in any profile.

          seshuganesh
          Staff
          seshuganesh
          Staff
          December 17, 2022

          Hi Team,

           

          It seems you are deleting from root VDOM
          Can you delete from global VDOM? are they visible?

           

            Tim-Berland
            Tim-Berland
            Explorer
            May 3, 2024

            Thank you so much @pminarik ! 
            "show full-configuration | grep -f external-blocklist-enable-all" did show me where to look, there was an AV profile not visible in GUI that had it enabled .... Nice "Feature" :clown_face:
            Have a great day !

              PaulRoberts
              PaulRoberts
              New Member
              June 27, 2024

              Just ran into this issue myself, with a side order of it actually being caused by the Fortimanager deciding it doesn't believe in the existence of any malware threat feeds after an update (7.2.4->7.2.5), so it tries to delete the malware feeds out of the appliance and breaks the push.  Yay.

              So, should someone encounter this, it's not an ideal solution but you'll basically have to make a script in the Fortimanager that goes into 'config antivirus profile' and does a 'set external-blocklist-enable-all disable' for each profile, then 'config system external-resource' and delete the affected malware feeds (yes this sucks), and then back through the antivirus profiles again to switch them back.  Optionally one may re-add the external resources in a second script which should be run after policy changes (because the policy changes won't be possible while the Fortimanager continues to disbelieve in the existence of malware thread feeds), but frankly this is a giant PITA and not exactly a great look to have to disable a chunk of functionality because the Fortimanager doesn't believe in it.

                jhussain_FTNT
                Staff
                jhussain_FTNT
                Staff
                July 7, 2024

                Hi,

                 

                Kindly verify on the antivirus profile  "Use external malware block list" is enable and if so,kindly disable and try deleting the profile.

                 

                Regards

                Jamal

                Terms & ConditionsAccessibility statement