Description
This article describes how to troubleshoot a connectivity issue with an external threat feed server.
Scope
FortiGate.
Solution
- Check the connectivity of the external threat feed server from the FortiGate firewall.
exec ping-options source 199.x.x.100
exec ping 212.x.x.100
PING 199.x.x.100 from 212.x.x.100 : 56 data bytes
64 bytes from 212.x.x.100: icmp_seq=1 ttl=128 time=2.54 ms
64 bytes from 212.x.x.100: icmp_seq=2 ttl=128 time=1.30 ms
Here, 199.x.x100 is the public IP address of the FortiGate interface and 212.x.x.100 is the IP address of server where the threat feed is configured.
- The external server is reachable and still facing issues in connectivity. Please run the sniffer to check if any error was received from server.
dia sniffer packet any "host 199.x.x.100 and host 212.x.x.100" 6 0 a
Run the sniffer until the error is received in the GUI, and then convert the capture to PCAP to check the communication errors.
FortiGate initially sends an HTTP get request with the HTTP1.1 version, and if the server does not accept it, the Firewall will send another request with the HTTP1.0 version and show as having failed.
Debug commands:
diagnose debug reset
diagnose debug enable
diagnose debug application forticron 0xf0
diagnose debug console timestamp enable
diagnose debug enable
To stop the debug processes, run the following command:
diagnose debug reset
diagnose debug disable
Or:
diagnose debug reset
diagnose debug enable
diagnose debug application forticron -1
diagnose debug console timestamp enable
diagnose debug enable
To stop the debug processes, run the following command:
diagnose debug reset
diagnose debug disable
As shown in the sniffer above, the server does not accept the request from FortiGate firewall. As a result, check the server for steps on how to handle this threat feed request.
After identifying the issue, the successful communication between FortiGate and the threat feed server should be as follows:
