|
After configuring the 'Threat Feeds' on FortiProxy, the server can show the status: 'Server not reachable'.
Using FortiCron debug to validate the connection:
diagnose debug reset
diagnose debug applicatio forticron -1
diagnose debug enable
fcron_timer_func()-23: Timer ext_upd fired
fcron_update_ext_func()-966: update ver: 0
1554-before-init: fd=-1 name='ext-2165aed6-9649-51ef-1058-77eff3041f7a' feed_name='ext-root.192.168.13.21' http_1=0 loc=0 state=send.header info=0-Server not reachable chunk=0 content-0=0 etag=0 csum=0 done=0 closed=0
sync-0(len=0 note=0 err=0) buf-1(sz=8192 data=127 free=8065 pos=0 end=127 max=134217728)
1554-init-as: fd=-1 name='ext-2165aed6-9649-51ef-1058-77eff3041f7a' feed_name='ext-root.192.168.13.21' http_1=0 loc=0 state=send.header info=0-None chunk=0 content-0=0 etag=0 csum=0 done=0 closed=0
sync-0(len=0 note=0 err=0) buf-1(sz=8192 data=0 free=8192 pos=0 end=0 max=134217728)
http_request_make()-2292: HTTP request: https
GET /IoC/ExternalThreats/threats.txt HTTP/1.1
Host: 192.168.13.21
User-Agent: curl/7.58.0
Accept: */*
Connection: close < ---
http_request_make()-2328: fcron_get_addr(192.168.13.21)
__http_resolv_cb()-2053: fos_epoll_add(28)
__update_ext()-225: Updating EXT '192.168.13.21' with HTTP
fcron_timer_func()-32: Timer ext_upd done
fcron_epoll_before_handle()-262: BEFORE READ fd 28 handle event 0x04 read 0x7486f0 epoll events 0x1c
__set_next_retry_time()-202: Next update for ext '192.168.13.21' fires in 300 seconds
ext_update_result()-309: HTTP result=1: __http_connect() tcps_connect(192.168.13.21) failed: connect() failed: 111. <---
To stop the debug:
diagnose debug reset
diagnose debug disable
Sniffer to IP 192.168.13.21 shows that the external server is resetting the connection:
FortiProxy-VM02 # diagnose sniffer packet any 'host 192.168.13.21 and tcp port 443' 4
interfaces=[any]
filters=[host 192.168.13.21 and tcp port 443]
4.909617 port4 out 192.168.13.99.50760 -> 192.168.13.21.443: syn 522897495
4.909924 port4 in 192.168.13.21.443 -> 192.168.13.99.50760: rst 0 ack 522897496 <-----
11.154239 port4 out 192.168.13.99.26124 -> 192.168.13.21.443: syn 259315361
11.154675 port4 in 192.168.13.21.443 -> 192.168.13.99.26124: rst 0 ack 259315362 <-----
In this example, the issue is faced due to the web server where the threat feed is allocated being down. After the web server is restored, the sniffer is completed and the connection to External Threat worked:
FortiProxy-VM02 # diagnose sniffer packet any 'host 192.168.13.21 and tcp port 443' 4
interfaces=[any]
filters=[host 192.168.13.21 and tcp port 443]
5.084149 port4 out 192.168.13.99.20634 -> 192.168.13.21.443: syn 2324334418
5.084474 port4 in 192.168.13.21.443 -> 192.168.13.99.20634: syn 4223172794 ack 2324334419
5.084503 port4 out 192.168.13.99.20634 -> 192.168.13.21.443: ack 4223172795
5.084794 port4 out 192.168.13.99.20634 -> 192.168.13.21.443: psh 2324334419 ack 4223172795
5.085042 port4 in 192.168.13.21.443 -> 192.168.13.99.20634: ack 2324334852
5.086437 port4 in 192.168.13.21.443 -> 192.168.13.99.20634: psh 4223172795 ack 2324334852
5.086444 port4 out 192.168.13.99.20634 -> 192.168.13.21.443: ack 4223174222
5.087216 port4 out 192.168.13.99.20634 -> 192.168.13.21.443: psh 2324334852 ack 4223174222
5.087633 port4 in 192.168.13.21.443 -> 192.168.13.99.20634: psh 4223174222 ack 2324334978
5.088119 port4 out 192.168.13.99.20634 -> 192.168.13.21.443: psh 2324334978 ack 4223174480
5.088616 port4 in 192.168.13.21.443 -> 192.168.13.99.20634: psh 4223174480 ack 2324335134
5.088696 port4 in 192.168.13.21.443 -> 192.168.13.99.20634: psh 4223174966 ack 2324335134
5.088696 port4 in 192.168.13.21.443 -> 192.168.13.99.20634: fin 4223174997 ack 2324335134
5.090973 port4 out 192.168.13.99.20634 -> 192.168.13.21.443: psh 2324335134 ack 4223174998
 |
