Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
asrour
Staff
Staff

Created on ‎11-29-2023 12:12 AM Edited on ‎09-19-2025 09:37 AM By Moderator

Article Id 286529

Technical Tip: Create Threat Feed Connector in Global VDOM from FortiManager

Description

 

This article describes how to create a threat feed connector from FortiManager in the Global VDOM in FortiGate.

 

Scope

 

FortiManager v7.0.10 and above, FortiGate with VDOMs enabled.

 

Solution

 

Using Threat Feeds in FortiGate's Multi-VDOM Mode.

When turning on multi-VDOM mode in FortiGate, it is possible to set up threat feeds either globally or for specific VDOMs. Global threat feeds are available to be used in all VDOMs but cannot be edited within a specific VDOM. Moreover, external resources defined in global threat feeds are updated via the management VDOM (root VDOM by default). Therefore, by using globally defined threat feeds, VDOMs do not need to be able to reach the external resources to update them.

 

In FortiManager, threat feeds are in the Policy & Objects section. When creating a threat feed in FortiManager, it will be pushed to FortiGate when installing the Policy Package to the specified VDOM.

 

Any threat feed starting with 'g-' will be a global threat feed and can be utilized across various VDOMs on FortiGate. It is not tied to specific VDOM/policy, and even if all policies using the global threat feed are removed, the threat feed will still be available under the Global VDOM.

 

To Create the Threat Feed in FortiManager:

Log in to FortiManager -> choose Fabric View Pane -> Connectors -> Create New -> Scroll down to threat feeds.

 

screenshot1.png

 

The name should start with a g-:

screenshot2.png

 

screenshot3.png

 

Threat feed connectors can be created under Policy & Objects -> Security Fabric -> Thread Feeds (Security Fabric and Threat Feeds have to be enabled first under Tools -> Feature Visibility).

 

After being created, use it in a policy (any VDOM):

 

screenshot6.png

 

After the policy was pushed to the root VDOM, the threat feed was created in Global and Root VDOMs:

 

screenshot5.png

 

screenshot4.png

 

In case the threat feed connectors were created directly at the FortiGate, they could be imported in FortiManager to be used under 'Policy & Objects' by executing the following tasks:

  • Run a 'Retrieve Config'.
  • Run an 'Import Configuration'.

Alternatively, the threat feed connectors can be imported by creating a CLI script (using the threat feed connectors CLI configuration from the FortiGate) and running it on 'Policy Package or ADOM Database' as shown below:

 

KB - Device Manager - Scripts.png

 

After that, the threat feed connectors will be available under Policy & Objects -> Security Fabric -> Threat Feeds and also under Fabric View.

 

Related documents:

1020
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.