|
STIX format for external thread feeds support was added in FortiOS 7.0.2
Configuration of the STIX external thread feed connector is described in the below document:
STIX format for external threat feeds 7.0.2
FortiGate supports STIX v2.0/v2.1. So, the server should be compatible with those versions.
In case there is an issue where STIX's connector shows connection status as 'other error' or any different error, run the below commands on the FortiGate to debug the connection status:
In FortiOS 7.0:
diag debug app forticron 960
diag debug console timestamp enable
diag debug enable
In FortiOS 7.2:
diag debug app forticron 0xf00
diag debug console timestamp enable
diag debug enable
In case needed, it is also possible to run the following debugs along with the Forticron debugs mentioned above:
diagnose ips debug enable all
diagnose debug enable
diag debug enable
Below is a snippet of a successful STIX connection when Forticron and ips debugs were enabled:
ext_init_http()-1931: category-taxii -- URI stix://limo.anomali.com/api/v1/taxii2/feeds/collections/200/objects/
ext_init_http()-1967: New HTTP ctx: host=limo.anomali.com port=443 path=/api/v1/taxii2/feeds/collections/200/objects/
FortiGate performs a GET action to get the address addresses:
GET /api/v1/taxii2/feeds/collections/200/objects/ HTTP/1.1
Host: limo.anomali.com
User-Agent: curl/7.58.0
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Accept: application/vnd.oasis.stix+json; version=2.0
Connection: close
Below is the message received from the taxii/stix server:
HTTP/1.1 206 PARTIAL CONTENT
Date: Sat, 05 Mar 2022 00:51:51 GMT
Content-Type: application/vnd.oasis.stix+json; version=2.0
Transfer-Encoding: chunked
Connection: close
X-TAXII-Date-Added-First: 2019-09-25T20:40:56.387Z
Accept-Ranges: items
Vary: Accept, Cookie
Content-Range: items 0-10/11
X-TAXII-Date-Added-Last: 2019-11-18T16:38:52.980Z
X-Kong-Upstream-Latency: 273
X-Kong-Proxy-Latency: 0
Via: kong/0.10.1
It is possible to see a Success message in the debugs once the addresses are updated on the FortiGate:
sync-1(len=7052 note=0 err=0) buf-1(sz=8192 data=0 free=8192 pos=0 end=0 max=10485760)
ext_csum_write()-839: ext-root.category-taxii: csum='b2c66509369542804106ab92fa955072'
ext_update_result()-226: HTTP result=0: Succ
ext_http_etag_remove()-789: ext-root.category-taxii: remove etagext_file_sync()-1047: update done: len=192 tag=0
Furthermore, STIX supports the following types of address formats:
category <----- FortiGuard category.
address <----- Firewall IP address.
domain <----- Domain Name.
malware <----- Malware hash.
Configure the correct type of address format using the commands below:
config system external-resourc
edit <Name of the STIX connector>
set type address <----- It is possible to choose an option from the above-mentioned list.
end
Fortigate implementation of STIX has a string size limitation of 2048 characters. When an object exceeds the 2048 character limit, it may result in '__http_recv_handle_error() JSON parsing error: -101'.
|
