| Solution |
FortiSIEM may fail to perform a content update if placed behind a firewall.
Error:
Use the following command to view backend CLI communication:
curl -vv https://update.fortiguard.net --insecure
curl -vv https://update.fortiguard.net --insecure
* Rebuilt URL to: https://update.fortiguard.net/
* Uses proxy env variable no_proxy == 'login.microsoftonline.com,graph.microsoft .com,127.0.0.1,localhost,1x.xx.3x.xx,xx.xx.xx.xx,10.xx.xx.xx,swd-wbssoc-su-01,sw d-wbssoc-su-01.wbs.swd-ag.de,swd-wbssoc-sw-02,swd-wbssoc-sw-02.wbs.swd-ag.de,swd -wbssoc-sc-01,swd-wbssoc-sc-01.wbs.swd-ag.de'
* Uses proxy env variable https_proxy == 'msproxy.swd-ag.de:8080'
* Trying 10.xx.2x.xx...
* TCP_NODELAY set
* Connected to msproxy.swd-ag.de (10.xx.xx.xx) port 8080 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to update.fortiguard.net:443
> CONNECT update.fortiguard.net:443 HTTP/1.1
> Host: update.fortiguard.net:443
> User-Agent: curl/7.61.1
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/xxx/xxx/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CONNECT phase completed!
* CONNECT phase completed!
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_xxx_xxx_SHAxxx
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=US; ST=California; L=Sunnyvale; O=Fortinet; OU=FDS; CN=fds1.fortin et.com; emailAddress=support@fortinet.com
* start date: Dec xx xx:xx:x 20xx GMT
* expire date: Jun xx xx:xx:xx 20xx GMT
* issuer: C=US; ST=California; L=Sunnyvale; O=Fortinet; OU=Certificate Authorit y; CN=support; emailAddress=support@fortinet.com
* SSL certificate verify result: self signed certificate in certificate chain ( 19), continuing anyway.
* TLSv1.3 (OUT), TLS app data, [no content] (0):
> GET / HTTP/1.1
> Host: update.fortiguard.net
> User-Agent: curl/7.61.1
> Accept: */*
Solution:
Configure Proxy -> Malware IP -> FortiGuard Malware IP -> More -> Update -> Proxy.
It is not possible to configure the IOC proxy if the FortiSIEM License does not include the IOC license.
In this case, the following article can be followed to enable proxy using CLI script: Technical Tip: How to configure Content Update, Image Server and FortiGuard IOC download to work th...
|
