Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Thank you so much for your support Ede,
The output of the command is here I frankly have no idea what to do.
Created on 12-16-2022 12:49 PM Edited on 12-16-2022 12:51 PM
,
Go through all of your antivirus profiles, check if they have "Use external malware block list" enabled. It can either be an explicit list of individual feeds, or all of them. (in which case the reference to the feed you want to delete would not show up in the CLI)
If that's the case, disable the option altogether, or switch to specific feeds and ensure the one you want to delete isn't in the selected list.
edit: make sure to check (and possibly change) this through the CLI as well. "external-blocklist-enable-all" seems to be enabled in the CLI by default but not displayed in the GUI, at least in 7.0.x that I have checked. (maybe a GUI bug)
I went through all the antivirus profiles. There are currently 4 antivirus profiles (all default antivirus profiles that come with Fortigate). "Use external malware block list" option is not active in any of the security profiles (Antivirus, web filter, video filter, DNS filter etc.), it is not using in any profile.
Hi Team,
It seems you are deleting from root VDOM
Can you delete from global VDOM? are they visible?
Since I created it in the root VDOM, it only appears in the root VDOM. Doesn't show up in Global VDOM
Hi Team,
I replicated this in lab and i was able to reproduce the issue.
Please follow these steps:
In my lab environment i have three antivirus profiles which are attached to global VDOM, i have to disable this setting in anti virus profile "set external-blocklist-enable-all enable", only then i was able to delete the malware feed.
config global
config antivirus profile
edit g-wifi-default----you have to do this for all AV profiles
set external-blocklist-enable-all disable
end
Hope it is clear
Created on 12-18-2022 06:04 AM Edited on 12-18-2022 06:07 AM
Check them in the CLI, especially check for the option "external-blocklist-enable-all", as I wrote in my initial reply, and as @seshuganesh is trying to highlight below.
This option seems to be enabled by default, and it seems to be blocking the deletion (at least it did for me).
Thank you so much @pminarik !
"show full-configuration | grep -f external-blocklist-enable-all" did show me where to look, there was an AV profile not visible in GUI that had it enabled .... Nice "Feature" :clown_face:
Have a great day !
Just ran into this issue myself, with a side order of it actually being caused by the Fortimanager deciding it doesn't believe in the existence of any malware threat feeds after an update (7.2.4->7.2.5), so it tries to delete the malware feeds out of the appliance and breaks the push. Yay.
So, should someone encounter this, it's not an ideal solution but you'll basically have to make a script in the Fortimanager that goes into 'config antivirus profile' and does a 'set external-blocklist-enable-all disable' for each profile, then 'config system external-resource' and delete the affected malware feeds (yes this sucks), and then back through the antivirus profiles again to switch them back. Optionally one may re-add the external resources in a second script which should be run after policy changes (because the policy changes won't be possible while the Fortimanager continues to disbelieve in the existence of malware thread feeds), but frankly this is a giant PITA and not exactly a great look to have to disable a chunk of functionality because the Fortimanager doesn't believe in it.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.