Help
FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
koolishami
Staff
Staff

Created on ‎04-23-2025 12:53 AM Edited on ‎04-23-2025 12:55 AM By Staff

Article Id 388792

Troubleshooting Tip: Resolving Outdated FortiGuard Malware IOCs (Domains, IPs, and URLs)

Description This article outlines a method to resolve issues with outdated FortiGuard Malware Domain, IP, and URL Indicators of Compromise (IOCs) in FortiSIEM, even when an update schedule is already configured.
Scope FortiSIEM v7.x+.
Solution

Step 1: Manually Trigger the IOC Update:

  1. Navigate to: Resources -> Malware IPs.
  2. Select ‘Update’ on FortiGuard Malware IP.
  3. In the popup window, select '+', leave the default setting as 'Once', and select Save.
  4. Then select 'View' on FortiGuard Malware IP. There should be 'Updating IOC' next to the search bar.

 

Step 2: Monitor the Update in Logs:

On the Supervisor CLI, run the following command to monitor the application server logs:

 

tail -f /opt/glassfish/domains/domain1/logs/phoenix.log | grep PH_AUDIT_MALWARE

 

Watch for the following log entries to confirm successful IOC updates:

 

[folder]=FortiGuard Malware IP, [phLogDetail]=Malware data updated

[folder]=FortiGuard Malware URL, [phLogDetail]=Malware data updated

[folder]=FortiGuard Malware Domain, [phLogDetail]=Malware data updated

 

Note:

This process may take time depending on FortiSIEM’s connection and performance.

 

Step 3: If IOC Update Fails — Clear Cache and Restart App Server:

If the IOC updates do not trigger, clear the application server (appsvr) cache and restart the GUI:

 

cd /opt/phoenix/cache/

mv ip_dir ipdir_.old  # Replace `ip_dir` with the IP address of the Supervisor

cd /opt/glassfish/domains/domain1/

rm -rf generated/

rm -rf osgi-cache/

kill -9 $(cat config/pid)

 

Why This Works:

FortiSIEM uses GlassFish as its application server, which caches compiled code and OSGi components for faster operation. These caches include:

 

generated/ <----- Contains compiled JSPs and servlet artifacts.

osgi-cache/ <----- Stores OSGi bundle states and background service configurations (e.g., update schedulers).

 

Over time, these caches can become corrupt or stale, particularly after crashes, incomplete updates, or misconfigurations, causing scheduled tasks like FortiGuard IOC updates to silently fail.

Clearing these caches forces a complete reinitialization of GlassFish components and services. Killing the PID ensures a full restart of the app server, which resets all background jobs, including the IOC scheduler.

 

Step 4: Confirm Successful Update Post-Restart:

After the restart, monitor the logs again to verify that IOC updates are now functioning:

 

tail -f /opt/glassfish/domains/domain1/logs/phoenix.log | grep PH_AUDIT_MALWARE

 

The three PH_AUDIT_MALWARE_DATA_UPDATED entries mentioned earlier should be seen now.

Related documents:

Working with FortiGuard IOCs

Troubleshooting Tip: How to clear application server cache
563
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.