Created on 03-27-2022 03:57 AM Edited on 03-18-2024 10:39 PM By Jean-Philippe_P
Description | This article describes how to troubleshoot STIX issues on FortiGate. |
Scope | FortiOS 7.0.2 and later. |
Solution |
STIX format for external thread feeds support was added in FortiOS 7.0.2
Configuration of the STIX external thread feed connector is described in the below document:
STIX format for external threat feeds 7.0.2
FortiGate supports STIX v2.0/v2.1. So, the server should be compatible with those versions.
In case there is an issue where STIX's connector shows connection status as 'other error' or any different error, run the below commands on the FortiGate to debug the connection status:
In FortiOS 7.0:
diag debug app forticron 960 diag debug console timestamp enable diag debug enable
In FortiOS 7.2:
diag debug app forticron 0xf00 diag debug console timestamp enable diag debug enable
In case needed, it is also possible to run the following debugs along with the Forticron debugs mentioned above:
diagnose ips debug enable all
Below is a snippet of a successful STIX connection when Forticron and ips debugs were enabled:
ext_init_http()-1931: category-taxii -- URI stix://limo.anomali.com/api/v1/taxii2/feeds/collections/200/objects/
FortiGate performs a GET action to get the address addresses:
GET /api/v1/taxii2/feeds/collections/200/objects/ HTTP/1.1
Below is the message received from the taxii/stix server:
It is possible to see a Success message in the debugs once the addresses are updated on the FortiGate:
sync-1(len=7052 note=0 err=0) buf-1(sz=8192 data=0 free=8192 pos=0 end=0 max=10485760)
Furthermore, STIX supports the following types of address formats:
category <----- FortiGuard category.
Configure the correct type of address format using the commands below:
config system external-resourc end
Fortigate implementation of STIX has a string size limitation of 2048 characters. When an object exceeds the 2048 character limit, it may result in '__http_recv_handle_error() JSON parsing error: -101'. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.