Description
This article explains how to troubleshoot a connectivity issue with an external threat feed server.
Scope
FortiGate
Solution
- Check the connectivity of the external threat feed server from the FortiGate firewall.
exec ping-options source 199.x.x.100
exec ping 212.x.x.100
PING 199.x.x.100 from 212.x.x.100 : 56 data bytes
64 bytes from 212.x.x.100: icmp_seq=1 ttl=128 time=2.54 ms
64 bytes from 212.x.x.100: icmp_seq=2 ttl=128 time=1.30 ms
- The external server is reachable and still facing issues in connectivity. Please run the sniffer to check if any error was received from server.
dia sniffer packet any "host 199.x.x.100 and host 212.x.x.100" 6 0 a
Run the sniffer until the error is received in the GUI, and then convert the capture to PCAP to check the communication errors.
FortiGate initially sends an HTTP get request with the HTTP1.1 version, and if the server does not accept it, the Firewall will send another request with the HTTP1.0 version and show as having failed.
Debug commands:
diag debug app forticron 0xf0
diag debug console timestamp enabl
diag debug enable
As shown in the sniffer above, the server does not accept the request from FortiGate firewall. As a result, check the server for steps on how to handle this threat feed request.
After identifying the issue, the successful communication between FortiGate and the threat feed server should be as follows:
