External Connectors - Threat Feeds problems

lk777 · ‎01-24-2023

Fortigate VM v.7.2.3 (Evaluation VM License)

I am trying to add IP Address, Malware Hash lists and some of them were accepted by the Fortigate.

But it seems that the refresh process (30 min) makes the VM unresponsive.

Could it be due to using https://virusshare.com/hashes MD5 hashes: one list with 131,072 hashes and the second one with 65,536 hashes in it?

CLI message:

*ATTENTION*: Admin sessions removed because license registration status changed to 'INVALID'

Log - System Events

UPDATE:

It seems the Threat Feeds feature doesn't work properly. Even IP lists that verified on other appliances do not work on Fortigate. Some of them are accepted, with others the Connection Status is : "Server not reachable". Those malware hash lists I had to disable via cli after multiple vm reloads.

AEK · ‎01-24-2023

Hello

I had an experience on FGT 7.0.9 physical appliance, but with IP addr threat feed.

It worked like a charm. However FMG doesn't like it, since it generates conflict with it.

For FGT VM 15 days evaluation, my experience is that this is not good even for labs, because it has so much limitation, so I think it could be the root cause of your issue with threat feed.

AEK

lk777 · ‎01-26-2023

I have some doubts that this is a VM (evaluation) to blame, unless they changed some algorithms specifically for external connectors. If this evaluation VM has all those limitations, so what is the point to call it evaluation?

The only IP list that worked for me was https://cinsarmy.com/list/ci-badguys.txt

It doesn't have any commented text in it, just a list of IPs.

Those lists that have failed (Server not reachable) have some commented text, like the following:

https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt

https://sslbl.abuse.ch/blacklist/sslipblacklist.txt

https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

....

These all lists are working on my other firewall appliance.

I do not know what IP lists you have on your 'FGT 7.0.9 physical appliance'.

Can you confirm that you set up Internet based IP lists and if they have a commented texts in them?

This is just my guess.

UPDATE:

For the test purpose, I have created IP lists on the local Apache web server which are copies of the Internet based lists.

Locally, lists with the comment '#' work but not with the Internet based ones.

With the ';' comments local lists do not work as well.

But I never had 'Server not reachable' for any of the local lists.

AEK · ‎01-26-2023

Hello IK

I used this list.

https://cinsscore.com/list/ci-badguys.txt

That was the only one I tested.

Each line contains a simple pub IP, like this:

1.10.202.75
1.116.115.166
1.116.130.171

Didn't see any commented line in there, but not sure, you can check the text file and confirm.

I added it via "Fabric Connectors > Threat Feeds > IP Address".

AEK

lk777 · ‎01-26-2023

Yes, AEK, this one works for me too.

It seems that Fortinet doesn't trust those websites (certificates or/and country). Those lists that produced 'Server not reachable' have SSL certificates issued by GlobalSign nv-sa (country BE), Sectigo Limited (country GB) and those that connected have certificates issued by Cloudflare (country US).

DarekKm · ‎09-05-2023

Hello.

All these lists work for me.