Fortigate VM v.7.2.3 (Evaluation VM License)
I am trying to add IP Address, Malware Hash lists and some of them were accepted by the Fortigate.
But it seems that the refresh process (30 min) makes the VM unresponsive.
Could it be due to using https://virusshare.com/hashes MD5 hashes: one list with 131,072 hashes and the second one with 65,536 hashes in it?
CLI message:
*ATTENTION*: Admin sessions removed because license registration status changed to 'INVALID'
Log - System Events
UPDATE:
It seems the Threat Feeds feature doesn't work properly. Even IP lists that verified on other appliances do not work on Fortigate. Some of them are accepted, with others the Connection Status is : "Server not reachable". Those malware hash lists I had to disable via cli after multiple vm reloads.
Hello
I had an experience on FGT 7.0.9 physical appliance, but with IP addr threat feed.
It worked like a charm. However FMG doesn't like it, since it generates conflict with it.
For FGT VM 15 days evaluation, my experience is that this is not good even for labs, because it has so much limitation, so I think it could be the root cause of your issue with threat feed.
Created on 01-26-2023 04:47 AM Edited on 01-26-2023 05:34 AM
I have some doubts that this is a VM (evaluation) to blame, unless they changed some algorithms specifically for external connectors. If this evaluation VM has all those limitations, so what is the point to call it evaluation?
The only IP list that worked for me was https://cinsarmy.com/list/ci-badguys.txt
It doesn't have any commented text in it, just a list of IPs.
Those lists that have failed (Server not reachable) have some commented text, like the following:
https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt
https://sslbl.abuse.ch/blacklist/sslipblacklist.txt
https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
....
These all lists are working on my other firewall appliance.
I do not know what IP lists you have on your 'FGT 7.0.9 physical appliance'.
Can you confirm that you set up Internet based IP lists and if they have a commented texts in them?
This is just my guess.
UPDATE:
For the test purpose, I have created IP lists on the local Apache web server which are copies of the Internet based lists.
Locally, lists with the comment '#' work but not with the Internet based ones.
With the ';' comments local lists do not work as well.
But I never had 'Server not reachable' for any of the local lists.
Hello IK
I used this list.
https://cinsscore.com/list/ci-badguys.txt
That was the only one I tested.
Each line contains a simple pub IP, like this:
1.10.202.75 1.116.115.166 1.116.130.171
Didn't see any commented line in there, but not sure, you can check the text file and confirm.
I added it via "Fabric Connectors > Threat Feeds > IP Address".
Yes, AEK, this one works for me too.
It seems that Fortinet doesn't trust those websites (certificates or/and country). Those lists that produced 'Server not reachable' have SSL certificates issued by GlobalSign nv-sa (country BE), Sectigo Limited (country GB) and those that connected have certificates issued by Cloudflare (country US).
Hello.
All these lists work for me.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1736 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.