Hello Experts,
Can you please advise on options for monitoring the Threat Feed feature? Once configured it seems to be working fine. I'm concerned about the feature breaking and stopping working. And nobody noticed.
There is little information in the official documentation (here - https://docs.fortinet.com/document/fortigate/7.4.2/administration-guide/9463/threat-feeds) and no related KB.
I found this command to check the onboard status:
diagnose sys external-resource stats
There is also an option to see feed in the GUI.
There is also an option to see the locally cached files from KB 225335:
FGT # fnsysctl ls -l /var/log/external/
-rw-r--r-- 1 0 0 Mon Apr 25 04:15:19 2022 15762 ext-root.External-resource-files
-rw-r--r-- 1 0 0 Mon Apr 25 04:15:19 2022 33 ext-root.External-resource-files.csum
-rw-r--r-- 1 0 0 Mon Apr 25 04:15:19 2022 35 ext-root.External-resource-files.etag
I welcome your advice on this subject. Thanks!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello Serg
I have the same and I can't see any related logs in system logs. I assume that means no log is generated for events affecting such object. So I assume no syslog, no SNMP and no FAZ.
This is just my guess, nothing official.
Edit: FOS 6.2.x
Created on 01-26-2024 06:19 AM Edited on 01-26-2024 06:27 AM
I did some lab testing, and there are events in the FortiGate system log. I think there is a decent amount of information. The only thing I'm missing is an error if the remote server is not available at all. In this case, the only hint that the update did not happen is the lack of "0100022220 Status: Success". I used 1-minute refresh interval in the lab with FortiOS 7.2.x. It would be great to see the actual error message. Perhaps it is implemented/will be implemented in the newer FortiOS.
If there is no Syslog alert (about remote server not reachable), there is no way to use onboard automation to send email alert about feeds being broken - Technical Tip: Use FortiGate automation stitches for alert emails KB 193355
Please see the results of my test below:
The Threat Feed file has been updated. | Log ID 0100022220 Type event Sub Type system Description threat-feed | Event Message Threat feed ‘ext-root.DynamicBlockFeed’ updated successfully
Action Status success |
The Threat Feed file contained errors. | Log ID 0100022222 Type event Sub Type system Description address-threat-feed | Event Message Threat feed 'DynamicBlockFeed' contains invalid lines, 2 valid lines and 2 invalid lines
Action Reason First invalid line at line 7, starting with '123.333.33.22' |
The Threat Feed file was not present on the web server, while the web server is reachable. | Log ID 0100022221 Type event Sub Type system Description threat-feed | Event Message Threat feed 'ext-root.DynamicBlockFeed' update failed
Action Status failed Reason 0-Resource not found |
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.