Description
This article describes how to resolve invalid entries seen in Threat Feeds on the FortiGate. The invalid entries are incorrectly formatted and do not exist on the original file.
Scope
FortiGate.
Solution
This issue is due to the Threat Feed being configured in different VDOMs while having duplicate UUIDs. This will cause issues writing to the file as multiple feeds could try to write to the same file at the same time, causing incorrect entries.
config system external-resource
edit "Malicious-IPs"
set uuid 262745ea-51ae-76rt-f67r-4ef3498eb96f <----- Same UUID configured in multiple VDOMs.
set type address
set resource "https://filestore.fortinet.com/fortiguard/dnr_lnr_ip.list"
set user-agent "curl/7.58.0"
set refresh-rate 15
next
To resolve this, the duplicate UUID will need to be removed. This can be done by either method below:
- Manually remove the problematic UUIDs configured under 'config system external-resources' from a downloaded configuration file from the FortiGate and then restore that file to the FortiGate. This will require the FortiGate to be restarted. This is the recommended method that allows the FortiGate to automatically generate new unique UUIDs for all external resource objects.
- If the FortiGate cannot be restarted then the following method can be used:
- Use the following command to generate a UUID:
FortiGate# diagnose sys uuid generate
- Allow manual setting of UUID with the following command:
FortiGate# diagnose sys uuid allow-manual-set enable
- Copy the generated UUID from Step 1 and set it under the external resource:
FortiGate# config system external-resource
FortiGate(external-resource)# edit Malicious-IPs
FortiGate(Malicious-IPs)# set uuid xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx <----- UUID derived from Step 1.
- Reload external resources with the following command:
diagnose test application forticron 8
- Repeat the above steps for each duplicate UUID.
