STIX format for external thread feeds support was added in v7.0.2

Configuration of the STIX external thread feed connector is described in the following below: STIX format for external threat feeds 7.0.2

• FortiGate supports STIX v2.0/v2.1. So, the server should be compatible with those versions. 
• FortiGate supports TAXII 2.0 pagination but not 2.1 pagination. 

In case there is an issue where STIX's connector shows connection status as 'other error' or any different error, run the below commands on the FortiGate to debug the connection status:

In v7.0:

diagnose debug app forticron 960

diagnose debug console timestamp enable

diagnose debug enable

In v7.2:

diagnose debug app forticron 0xf00

diagnose debug console timestamp enable

diagnose debug enable

In case this is necessary, it is also possible to run filtered IPS debugs along with the Forticron debugs mentioned above:

Troubleshooting Tip: IPS engine new debug commands

Warning:

Avoid running IPS debugs without any filters to avoid noticeable disruption in traffic.

Below is a snippet of  a successful STIX connection when FortiCron and IPS debugs were enabled:

ext_init_http()-1931: category-taxii -- URI stix://limo.anomali.com/api/v1/taxii2/feeds/collections/200/objects/
ext_init_http()-1967: New HTTP ctx: host=limo.anomali.com port=443 path=/api/v1/taxii2/feeds/collections/200/objects/

FortiGate performs a GET action to get the addresses:

GET /api/v1/taxii2/feeds/collections/200/objects/ HTTP/1.1
Host: limo.anomali.com
User-Agent: curl/7.58.0
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Accept: application/vnd.oasis.stix+json; version=2.0
Connection: close

Below is the message received from the taxii/stix server:

HTTP/1.1 206 PARTIAL CONTENT
Date: Sat, 05 Mar 2022 00:51:51 GMT
Content-Type: application/vnd.oasis.stix+json; version=2.0
Transfer-Encoding: chunked
Connection: close
X-TAXII-Date-Added-First: 2019-09-25T20:40:56.387Z
Accept-Ranges: items
Vary: Accept, Cookie
Content-Range: items 0-10/11
X-TAXII-Date-Added-Last: 2019-11-18T16:38:52.980Z
X-Kong-Upstream-Latency: 273
X-Kong-Proxy-Latency: 0
Via: kong/0.10.1

It is possible to see a Success message in the debugs once the addresses are updated on the FortiGate.

sync-1(len=7052 note=0 err=0) buf-1(sz=8192 data=0 free=8192 pos=0 end=0 max=10485760)
ext_csum_write()-839: ext-root.category-taxii: csum='b2c66509369542804106ab92fa955072'
ext_update_result()-226: HTTP result=0: Succ
ext_http_etag_remove()-789: ext-root.category-taxii: remove etagext_file_sync()-1047: update done: len=192 tag=0

Furthermore, STIX supports the following types of address formats:

category <----- FortiGuard category.
address <----- Firewall IP address.
domain <----- Domain Name.
malware <----- Malware hash.

Configure the correct type of address format using the commands below:

config system external-resourc
    edit <Name of the STIX connector>
        set type address     <----- It is possible to choose an option from the above-mentioned list.

end

FortiGate implementation of STIX has a string size limitation of 2048 characters. When an object exceeds the 2048-character limit, it may result in '__http_recv_handle_error() JSON parsing error: -101'.