Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
SergGu
New Contributor

FortiGate threat feed monitoring livliness options (FortiAnalyser, SNMP, Syslog etc)

Hello Experts,

Can you please advise on options for monitoring the Threat Feed feature? Once configured it seems to be working fine. I'm concerned about the feature breaking and stopping working. And nobody noticed.

 

There is little information in the official documentation (here - https://docs.fortinet.com/document/fortigate/7.4.2/administration-guide/9463/threat-feeds) and no related KB.

 

I found this command to check the onboard status:

diagnose sys external-resource stats

There is also an option to see feed in the GUI.

 

There is also an option to see the locally cached files from KB 225335:

FGT # fnsysctl ls -l /var/log/external/

-rw-r--r-- 1 0 0 Mon Apr 25 04:15:19 2022 15762 ext-root.External-resource-files
-rw-r--r-- 1 0 0 Mon Apr 25 04:15:19 2022 33 ext-root.External-resource-files.csum
-rw-r--r-- 1 0 0 Mon Apr 25 04:15:19 2022 35 ext-root.External-resource-files.etag

 

I welcome your advice on this subject. Thanks!

2 REPLIES 2
AEK
Honored Contributor

Hello Serg

I have the same and I can't see any related logs in system logs. I assume that means no log is generated for events affecting such object. So I assume no syslog, no SNMP and no FAZ.

This is just my guess, nothing official.

 

Edit: FOS 6.2.x

AEK
AEK
SergGu
New Contributor

I did some lab testing, and there are events in the FortiGate system log. I think there is a decent amount of information. The only thing I'm missing is an error if the remote server is not available at all. In this case, the only hint that the update did not happen is the lack of "0100022220 Status: Success". I used 1-minute refresh interval in the lab with FortiOS 7.2.x. It would be great to see the actual error message. Perhaps it is implemented/will be implemented in the newer FortiOS.

 

If there is no Syslog alert (about remote server not reachable), there is no way to use onboard automation to send email alert about feeds being broken - Technical Tip: Use FortiGate automation stitches for alert emails KB 193355

 

Please see the results of my test below:

 

The Threat Feed file has been updated.

Log ID  0100022220

Type    event

Sub Type          system

Description       threat-feed

Event

Message          Threat feed ‘ext-root.DynamicBlockFeed’ updated successfully

 

Action

Status  success

The Threat Feed file contained errors.

Log ID  0100022222

Type    event

Sub Type          system

Description       address-threat-feed

Event

Message          Threat feed 'DynamicBlockFeed' contains invalid lines, 2 valid lines and 2 invalid lines

 

Action

Reason First invalid line at line 7, starting with '123.333.33.22'

The Threat Feed file was not present on the web server, while the web server is reachable.

Log ID  0100022221

Type    event

Sub Type          system

Description       threat-feed

Event

Message          Threat feed 'ext-root.DynamicBlockFeed' update failed

 

Action

Status  failed

Reason 0-Resource not found

Labels
Top Kudoed Authors