Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Yerlikaya06
New Contributor II

Created on ‎12-16-2022 01:17 AM Edited on ‎12-17-2022 08:26 AM

I can't delete Malware Hash Threat Feed (Fortigate 600E - release v7.2.3 )

I can never delete Security Fabric > External Connectors > Malware Hash - Threat Feed that I created on root user on fortigate 600E device with FortiOS v7.2.3

FortiGate 

Labels:
3630
0 Kudos
17 REPLIES 17
Yerlikaya06
New Contributor II
In response to ede_pfau

Created on ‎12-16-2022 12:31 PM

Thank you so much for your support Ede,

The output of the command is here I frankly have no idea what to do.

Command outputCommand output

1510
0 Kudos
Yerlikaya06
New Contributor II
In response to ede_pfau

Created on ‎12-16-2022 12:49 PM Edited on ‎12-16-2022 12:51 PM

,

1509
0 Kudos
pminarik
Staff
Staff

Created on ‎12-16-2022 08:05 AM Edited on ‎12-16-2022 08:10 AM

Go through all of your antivirus profiles, check if they have "Use external malware block list" enabled. It can either be an explicit list of individual feeds, or all of them. (in which case the reference to the feed you want to delete would not show up in the CLI)
If that's the case, disable the option altogether, or switch to specific feeds and ensure the one you want to delete isn't in the selected list.

 

edit: make sure to check (and possibly change) this through the CLI as well. "external-blocklist-enable-all" seems to be enabled in the CLI by default but not displayed in the GUI, at least in 7.0.x that I have checked. (maybe a GUI bug)

[ corrections always welcome ]
1520
0 Kudos
Yerlikaya06
New Contributor II
In response to pminarik

Created on ‎12-16-2022 01:11 PM

I went through all the antivirus profiles. There are currently 4 antivirus profiles (all default antivirus profiles that come with Fortigate). "Use external malware block list" option is not active in any of the security profiles (Antivirus, web filter, video filter, DNS filter etc.), it is not using in any profile.

1507
0 Kudos
seshuganesh
Staff
Staff
In response to Yerlikaya06

Created on ‎12-17-2022 02:35 AM

Hi Team,

 

It seems you are deleting from root VDOM
Can you delete from global VDOM? are they visible?

 

1495
0 Kudos
Yerlikaya06
New Contributor II
In response to seshuganesh

Created on ‎12-17-2022 08:22 AM

Since I created it in the root VDOM, it only appears in the root VDOM. Doesn't show up in Global VDOM

1488
seshuganesh
Staff
Staff
In response to seshuganesh

Created on ‎12-17-2022 09:54 PM

Hi Team,

 

I replicated this in lab and i was able to reproduce the issue.

Please follow these steps:

In my lab environment i have three antivirus profiles which are attached to global VDOM, i have to disable this setting in anti virus profile "set external-blocklist-enable-all enable", only then i was able to delete the malware feed.

config global

config antivirus profile

edit g-wifi-default----you have to do this for all AV profiles

set external-blocklist-enable-all disable

end

Hope it is clear

1471
pminarik
Staff
Staff
In response to Yerlikaya06

Created on ‎12-18-2022 06:04 AM Edited on ‎12-18-2022 06:07 AM

Check them in the CLI, especially check for the option "external-blocklist-enable-all", as I wrote in my initial reply, and as @seshuganesh is trying to highlight below.


This option seems to be enabled by default, and it seems to be blocking the deletion (at least it did for me). 

[ corrections always welcome ]
1466
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.