Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aionescu
Staff
Staff

Created on ‎12-04-2025 07:59 AM Edited on ‎12-05-2025 03:48 AM By Staff

Article Id 421802

Technical Tip: FortiGate behavior when external threat feed list is empty

Description This article illustrates FortiGate behavior when the threat feed list is empty. In some scenarios, a configured external threat feed will be wrongfully edited and the IP addresses will be deleted. 
Scope FortiGate.
Solution

To configure the threat feed list, refer to the following document: Threat feeds

 

For this example, a custom threat feed was configured. It has one IP configured: 8.8.8.8.

 

diagnose sys external-address-resource list TEST
IPv4 ranges of uuid-idx 15749 (num=1)
8.8.8.8-8.8.8.8

 

Two test policies were configured: one that blocks traffic that matches the destination IP addresses from the threat feed (8.8.8.8 in this case), and one that allows all traffic:

 

config firewall policy
    edit 2
        set name "PC-GOOGLE"
        set uuid 3ec5c0e2-d11c-51f0-a6c5-4cff606acb56
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "TEST"
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
end

 

HUB2 # sh firewall policy 3
config firewall policy
    edit 3
        set name "PC-INTERNET"
        set uuid 5431f176-d11c-51f0-8ccb-9bb485c4273a
        set srcintf "port2"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
    next
end

 

To test the behavior, traffic towards 8.8.8.8 was generated from a host PC connected to the firewall. As the traffic is matching 8.8.8.8 and the policy has the default action to deny, the traffic is dropped:

 

id=65308 trace_id=1 func=print_pkt_detail line=5872 msg="vd-root:0 received a packet(proto=1, 10.65.10.32:43->8.8.8.8:2048) tun_id=0.0.0.0 from port2. type=8, c
ode=0, id=43, seq=4362."
id=65308 trace_id=1 func=init_ip_session_common line=6057 msg="allocate a new session-00abddb3"
id=65308 trace_id=1 func=__vf_ip_route_input_rcu line=1991 msg="find a route: flag=00000000 gw-10.5.255.254 via port1"
id=65308 trace_id=1 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=35, len=3"
id=65308 trace_id=1 func=fw_forward_handler line=837 msg="Denied by forward policy check (policy 2)"

 

As the next step, the threat feed was edited, and the 8.8.8.8 IP address was removed.

 

diagnose sys external-address-resource list TEST

 

To test the behavior, traffic towards 8.8.8.8 was generated from a host connected to the firewall. As the Threat Feed was empty, traffic matched Firewall Policy 3 and was allowed.

 

HUB2 # id=65308 trace_id=1 func=print_pkt_detail line=5872 msg="vd-root:0 received a packet(proto=1, 10.65.10.32:43->8.8.8.8:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=43, seq=4366."
id=65308 trace_id=1 func=init_ip_session_common line=6057 msg="allocate a new session-0000051f"
id=65308 trace_id=1 func=__vf_ip_route_input_rcu line=1991 msg="find a route: flag=00000000 gw-10.5.255.254 via port1"
id=65308 trace_id=1 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=35, len=3"
id=65308 trace_id=1 func=get_new_addr line=1213 msg="find SNAT: IP-10.5.209.19(from IPPOOL), port-60460"
id=65308 trace_id=1 func=fw_forward_handler line=990 msg="Allowed by Policy-3: SNAT"
182
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.