|
An issue has been observed where FortiGate is unable to fetch data from the configured external connector when server-identity-checks is set to basic or full, particularly when:
config firewall address
edit "Test_Block_List"
set type iprange
set comment "External IP Feed Test"
set resource "https://Block-List.fortinet.tac/testing.txt"
set server-identity-check basic <<<<
next
end
config firewall policy
edit 1
set name "Test"
set srcintf "Internet-Zone"
set dstintf "any"
set srcaddr "Test_Block_List"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic disable
set global-label "Block"
next
end
This behavior occurs because the server certificate’s identity could not be verified against the FQDN specified in the external resource configuration.
When server-identity-check is set to basic or full, the connection to the external feed fails, and the FortiGate logs the following SSL error.
diagnose debug application forticron -1
diagnose debug console timestamp enable
diagnose debug enable
2025-10-14 13:26:51 __update_ext()-282: Updating EXT 'Test_Block_List' with HTTP
2025-10-14 13:26:51 __http_resolv_cb()-2018: ssl set SNI 'Block-List.fortinet.tac'
2025-10-14 13:26:51 __http_resolv_cb()-2043: fos_epoll_add(24)
2025-10-14 13:26:51 __set_next_retry_time()-259: Next update for ext 'Test_Block_List' fires in 300 seconds
2025-10-14 13:26:51 ext_update_result()-357: HTTP result=1: __http_connect() tcps_connect(190.225.2.61) failed: ssl_connect() failed: 167772294 (error:0A000086:SSL routines::certificate v
2025-10-14 13:26:51 237-__http_stop: fd=24 name='ext-78b073de-6c32-51ee-77ca-f4f56af51b7c' feed_name='ext-root.Test_Block_List' http_1=1 loc=0 state=send.header info=0-Server not reachable
This issue has been fixed in the following builds:
-
FortiOS v7.4.9.
-
FortiOS v7.6.4.
|
