FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how to troubleshoot external threat feed connectors showing down issues.
Scope
FortiGate.
Solution
Check connectivity issue between FortiGate device and webserver using sniffer and debug command towards destination server IP address.
diagnose sniffer packet any "host x.x.x.x" 4 0 a <----- Replace x.x.x.x with destination web-server IP address.
For the detail analysis use the below commands:
diag debug disable diag debug reset diag debug flow show console enable diag debug flow show function-name enable diag debug flow show iprope enable diag debug flow filter addr x.x.x.x <----- Replace x.x.x.x with the destination IP of the communication. diag debug flow trace start 9999 diag debug enable
After running the above commands, wait for traffic to get generated by re-enabling the external threat feed connector.
If the status shows down, or traffic logs are generated, stop the debug using the below command:
diag debug disable
Verify which IP address of the firewall is whitelisted in the webserver to access the hosted file.
If while connecting to the web server, FortiGate is using a different IP address that is not whitelisted at the webserver (lower index interface IP address as source IP address).
Then it is possible to specify manually source-ip address in the external threat feed configuration.
config system external-resource edit <name>
set source-ip <y.y.y.y> <----- Where y.y.y.y is source IP address. next end
After setting up source-ip address in the threat feed, check the traffic flow and check the status of the threat feed.
If SD-WAN is configured, change the interface-select-method from auto to SD-WAN.
