Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kcheng
Staff & Editor
Staff & Editor

Created on ‎12-01-2025 10:12 PM Edited on ‎12-01-2025 10:13 PM By Staff

Article Id 421292

Technical Tip: FortiGate Threat Feed External Connector behavior when changes is detected

Description

This article describes the behavior of FortiGate Threat Feed External Connector when changes are detected.

FortiGate external connector allows administrators to poll IP addresses or Domains from external sources for traffic control. The polling interval is controlled by FortiGate configuration refresh-rate to obtain the latest update from the external server.
Scope FortiOS.
Solution

In the demo environment, the FortiGate is configured with an internal web-hosted Threat Feed provider to ease controlling:

 

FGT # config system external-resource
edit "Ext connector"
set uuid 07cc99b0-c9cb-51f0-9177-3a3c94ddf722
set type address
set resource "http://10.56.242.32/iplist.txt"
set refresh-rate 1 <-----Refresh rate configured to 1 minute for demonstration purposes.
next
end

 

To check the debug logs of the threat feed connector, the following debug commands can be enabled:

 

diagnose debug application forticron -1

diagnose debug enable

 

In the demo environment, the original state of the FortiGate threat feed before the new IP address is updated is as below:

 

FGT # diagnose sys external-address-resource list "Ext connector"
IPv4 ranges of uuid-idx 15846 (num=3)
1.1.1.1-1.1.1.1
2.2.2.2-2.2.2.2
3.3.3.3-3.3.3.3

 

FGT # diagnose sys external-resource stats
name: Ext connector; uuid_idx: 15846; type: address table; update_method: feed; total lines: 3; valid lines: 3; error lines: 0; used: yes; buildable: 3; total in count file: 3; ranges: 0;

 

FGT # fnsysctl ls -la /var/log/external
drwx------ 2 0 0 Mon Dec 1 17:28:29 2025 4096 .
drwxr-xr-x 16 0 0 Mon Dec 1 17:17:02 2025 4096 ..
-rw-r--r-- 1 0 0 Mon Dec 1 17:28:29 2025 25 ext-07cc99b0-c9cb-51f0-9177-3a3c94ddf722
-rw-r--r-- 1 0 0 Mon Dec 1 17:28:29 2025 12 ext-07cc99b0-c9cb-51f0-9177-3a3c94ddf722.count
-rw-r--r-- 1 0 0 Mon Dec 1 17:28:29 2025 33 ext-07cc99b0-c9cb-51f0-9177-3a3c94ddf722.csum
-rw-r--r-- 1 0 0 Mon Dec 1 17:28:29 2025 20 ext-07cc99b0-c9cb-51f0-9177-3a3c94ddf722.etag
-rw-r--r-- 1 0 0 Mon Dec 1 17:28:29 2025 8 ext-07cc99b0-c9cb-51f0-9177-3a3c94ddf722.stats

 

The information downloaded from the external threat feed server will be saved in /var/log/external; hence, the timestamp and filesize of the file saved in this directory mark the last modified time of the threat feed.

 

For demonstration purposes, another IP was added to the threat feed server:

 

image.png

 

The following will be observed in the FortiGate debug logs:

 

FGT # diagnose debug application forticron -1
Debug messages will be on for 30 minutes.

FGT # diagnose debug enable

....

fcron_epoll_before_handle()-260: BEFORE READ fd 13 handle event 0x01 read 0x5578fb79f9f0 epoll events 0x01
fcron_ext_handle_cmd_update()-1152: command update 'Ext connector' --> Action triggered to update threat feed
fcron_reload_exts()-732:
fcron_reload_exts()-734: reset ver update time to 1800 seconds
add_ext_feed_to_list()-578: update ver update time to 60 seconds

...

fcron_timer_func()-23: Timer ext_upd fired
fcron_update_ext_func()-996: update ver: 0
2034-before-init: fd=-1 name='ext-07cc99b0-c9cb-51f0-9177-3a3c94ddf722' feed_name='ext-root.Ext connector' http_1=0 loc=0 state=recv.body info=1-Resource is same chunk=0 content-0=0 etag=1 csum=1 done=0 closed=0
sync-0(len=0 note=0 err=0) buf-1(sz=8192 data=162 free=8030 pos=0 end=162 max=134217728)
2034-init-as: fd=-1 name='ext-07cc99b0-c9cb-51f0-9177-3a3c94ddf722' feed_name='ext-root.Ext connector' http_1=0 loc=0 state=send.body info=0-None chunk=0 content-0=0 etag=1 csum=1 done=0 closed=0
sync-0(len=0 note=0 err=0) buf-1(sz=8192 data=0 free=8192 pos=0 end=0 max=134217728)
http_request_make()-2226: HTTP request: http

GET /iplist.txt HTTP/1.1
Host: 10.56.242.32
User-Agent: curl/7.58.0
Accept: */*
Connection: close


http_request_make()-2261: fcron_get_addr(10.56.242.32)
__http_resolv_cb()-2041: fos_epoll_add(23)
__update_ext()-257: Updating EXT 'Ext connector' with HTTP
fcron_timer_func()-32: Timer ext_upd done
fcron_epoll_before_handle()-264: BEFORE WRITE fd 23 handle event 0x04 write 0x5578fb7ac5d0 epoll events 0x04
__http_connect()-1932: tcps_connect(10.56.242.32) is established.
fcron_epoll_after_handle()-280: AFTER WRITE ret 0
fcron_epoll_before_handle()-264: BEFORE WRITE fd 23 handle event 0x04 write 0x5578fb7ac4a0 epoll events 0x04
__http_send()-799: sent 105 bytes: pos=0, len=105
2034-before-init: fd=23 name='ext-07cc99b0-c9cb-51f0-9177-3a3c94ddf722' feed_name='ext-root.Ext connector' http_1=1 loc=0 state=send.body info=0-None chunk=0 content-0=0 etag=0 csum=1 done=0 closed=0
sync-0(len=0 note=0 err=0) buf-1(sz=8192 data=0 free=8087 pos=105 end=105 max=134217728)
2034-init-as: fd=23 name='ext-07cc99b0-c9cb-51f0-9177-3a3c94ddf722' feed_name='ext-root.Ext connector' http_1=1 loc=0 state=recv.header info=0-None chunk=0 content-0=0 etag=0 csum=1 done=0 closed=0
sync-0(len=0 note=0 err=0) buf-1(sz=8192 data=0 free=8192 pos=0 end=0 max=134217728)
2034-__http_rxtx: fd=23 name='ext-07cc99b0-c9cb-51f0-9177-3a3c94ddf722' feed_name='ext-root.Ext connector' http_1=1 loc=0 state=recv.header info=0-None chunk=0 content-0=0 etag=0 csum=1 done=0 closed=0
sync-0(len=0 note=0 err=0) buf-1(sz=8192 data=0 free=8192 pos=0 end=0 max=134217728)
fcron_epoll_after_handle()-280: AFTER WRITE ret 0
fcron_epoll_before_handle()-260: BEFORE READ fd 23 handle event 0x01 read 0x5578fb7ac4a0 epoll events 0x01
__http_recv()-1862: Server [10.56.242.32:80]: read=277 data=277 free=7915
2034-Loop-handle: fd=23 name='ext-07cc99b0-c9cb-51f0-9177-3a3c94ddf722' feed_name='ext-root.Ext connector' http_1=1 loc=0 state=recv.header info=0-None chunk=0 content-0=0 etag=0 csum=1 done=0 closed=0
sync-0(len=0 note=0 err=0) buf-1(sz=8192 data=277 free=7915 pos=0 end=277 max=134217728)
2034-__http_recv_handle_header: fd=23 name='ext-07cc99b0-c9cb-51f0-9177-3a3c94ddf722' feed_name='ext-root.Ext connector' http_1=1 loc=0 state=recv.header info=0-None chunk=0 content-0=0 etag=0 csum=1 done=0 closed=0
sync-0(len=0 note=0 err=0) buf-1(sz=8192 data=277 free=7915 pos=0 end=277 max=134217728)
__http_recv_handle_header()-1484:

HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Tue, 02 Dec 2025 01:43:10 GMT
Accept-Ranges: bytes
ETag: "3128fd32d63dc1:0"
Server: Microsoft-IIS/10.0
Date: Tue, 02 Dec 2025 01:43:20 GMT
Connection: close
Content-Length: 34

2034-Remove-header: fd=23 name='ext-07cc99b0-c9cb-51f0-9177-3a3c94ddf722' feed_name='ext-root.Ext connector' http_1=1 loc=0 state=recv.body info=0-None chunk=0 content-1=34 etag=0 csum=1 done=0 closed=0
sync-0(len=0 note=0 err=0) buf-1(sz=8192 data=34 free=8158 pos=0 end=34 max=134217728)
2034-__http_recv_handle_body: fd=23 name='ext-07cc99b0-c9cb-51f0-9177-3a3c94ddf722' feed_name='ext-root.Ext connector' http_1=1 loc=0 state=recv.body info=0-None chunk=0 content-1=34 etag=0 csum=1 done=0 closed=0
sync-0(len=0 note=0 err=0) buf-1(sz=8192 data=34 free=8158 pos=0 end=34 max=134217728)
2034-__http_recv_handle_body_done: fd=23 name='ext-07cc99b0-c9cb-51f0-9177-3a3c94ddf722' feed_name='ext-root.Ext connector' http_1=1 loc=0 state=recv.body_done info=0-None chunk=0 content-1=34 etag=0 csum=1 done=0 closed=0
sync-1(len=34 note=0 err=0) buf-1(sz=8192 data=0 free=8192 pos=0 end=0 max=134217728)
ext_csum_write()-931: ext-07cc99b0-c9cb-51f0-9177-3a3c94ddf722: csum='f9213ed540aafb65633b565f8b79c98c'
ext_update_result()-333: HTTP result=0: Succ
ext_entry_count_write()-345: 07cc99b0-c9cb-51f0-9177-3a3c94ddf722: wrote 4 entries to file
ext_http_etag_write()-867: ext-07cc99b0-c9cb-51f0-9177-3a3c94ddf722: etag='"3128fd32d63dc1:0"'
ext_ha_sync_file()-398: Sending Ext connector to other HA members
ext_file_sync()-1315: update done: tag=1
2034-before-init: fd=23 name='ext-07cc99b0-c9cb-51f0-9177-3a3c94ddf722' feed_name='ext-root.Ext connector' http_1=1 loc=0 state=recv.body_done info=1-Succ chunk=0 content-1=34 etag=0 csum=1 done=1 closed=0
sync-1(len=34 note=0 err=0) buf-1(sz=8192 data=0 free=8192 pos=0 end=0 max=134217728)
2034-init-as: fd=23 name='ext-07cc99b0-c9cb-51f0-9177-3a3c94ddf722' feed_name='ext-root.Ext connector' http_1=1 loc=0 state=done.body_done info=1-Succ chunk=0 content-1=34 etag=0 csum=1 done=1 closed=0
sync-0(len=34 note=0 err=0) buf-0(sz=0 data=0 free=0 pos=0 end=0 max=134217728)
2034-__http_stop: fd=23 name='ext-07cc99b0-c9cb-51f0-9177-3a3c94ddf722' feed_name='ext-root.Ext connector' http_1=1 loc=0 state=done.body_done info=1-Succ chunk=0 content-1=34 etag=0 csum=1 done=1 closed=0
sync-0(len=34 note=0 err=0) buf-0(sz=0 data=0 free=0 pos=0 end=0 max=134217728)
__http_stop()-770: Close http connect: __http_recv_handle_body_done
__http_stop()-772: fos_epoll_del(23)
2034-__http_rxtx: fd=-1 name='ext-07cc99b0-c9cb-51f0-9177-3a3c94ddf722' feed_name='ext-root.Ext connector' http_1=0 loc=0 state=done.body_done info=1-Succ chunk=0 content-1=34 etag=0 csum=1 done=1 closed=0
sync-0(len=34 note=0 err=0) buf-0(sz=0 data=0 free=0 pos=0 end=0 max=134217728)
fcron_epoll_after_handle()-277: AFTER READ ret 0

 

After the update process has been completed, the statistics of the external resources will demonstrate changes:

 

FGT # diagnose sys external-resource stats
name: Ext connector; uuid_idx: 15846; type: address table; update_method: feed; total lines: 4; valid lines: 4; error lines: 0; used: yes; buildable: 4; total in count file: 4; ranges: 0;

 

The files that store the IP address list will also demonstrate the latest modified time:

 

FGT # fnsysctl ls -la /var/log/external
drwx------ 2 0 0 Mon Dec 1 17:43:20 2025 4096 .
drwxr-xr-x 16 0 0 Mon Dec 1 17:17:02 2025 4096 ..
-rw-r--r-- 1 0 0 Mon Dec 1 17:43:20 2025 34 ext-07cc99b0-c9cb-51f0-9177-3a3c94ddf722
-rw-r--r-- 1 0 0 Mon Dec 1 17:43:20 2025 12 ext-07cc99b0-c9cb-51f0-9177-3a3c94ddf722.count
-rw-r--r-- 1 0 0 Mon Dec 1 17:43:20 2025 33 ext-07cc99b0-c9cb-51f0-9177-3a3c94ddf722.csum
-rw-r--r-- 1 0 0 Mon Dec 1 17:43:20 2025 19 ext-07cc99b0-c9cb-51f0-9177-3a3c94ddf722.etag
-rw-r--r-- 1 0 0 Mon Dec 1 17:43:20 2025 8 ext-07cc99b0-c9cb-51f0-9177-3a3c94ddf722.stats

 

It will take approximately 60 seconds for the latest list to be updated in the CLI output. The threat feed list will not be overwritten or emptied at this stage. Traffic will remain controlled based on this list:

 

FGT # diagnose sys external-address-resource list "Ext connector"
IPv4 ranges of uuid-idx 15846 (num=3)
1.1.1.1-1.1.1.1
2.2.2.2-2.2.2.2
3.3.3.3-3.3.3.3

 

After 60 seconds:

 

FGT # diagnose sys external-address-resource list "Ext connector"
IPv4 ranges of uuid-idx 15846 (num=4)
1.1.1.1-1.1.1.1
2.2.2.2-2.2.2.2
3.3.3.3-3.3.3.3
4.4.4.4-4.4.4.4 <----- New record being updated.
197
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.