Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Yerlikaya06
New Contributor II

I can't delete Malware Hash Threat Feed (Fortigate 600E - release v7.2.3 )

I can never delete Security Fabric > External Connectors > Malware Hash - Threat Feed that I created on root user on fortigate 600E device with FortiOS v7.2.3

FortiGate 

20 REPLIES 20
Yerlikaya06

Thank you so much for your support Ede,

The output of the command is here I frankly have no idea what to do.

Command outputCommand output

Yerlikaya06

,

pminarik
Staff
Staff

Go through all of your antivirus profiles, check if they have "Use external malware block list" enabled. It can either be an explicit list of individual feeds, or all of them. (in which case the reference to the feed you want to delete would not show up in the CLI)
If that's the case, disable the option altogether, or switch to specific feeds and ensure the one you want to delete isn't in the selected list.

 

edit: make sure to check (and possibly change) this through the CLI as well. "external-blocklist-enable-all" seems to be enabled in the CLI by default but not displayed in the GUI, at least in 7.0.x that I have checked. (maybe a GUI bug)

[ corrections always welcome ]
Yerlikaya06

I went through all the antivirus profiles. There are currently 4 antivirus profiles (all default antivirus profiles that come with Fortigate). "Use external malware block list" option is not active in any of the security profiles (Antivirus, web filter, video filter, DNS filter etc.), it is not using in any profile.

seshuganesh

Hi Team,

 

It seems you are deleting from root VDOM
Can you delete from global VDOM? are they visible?

 

Yerlikaya06

Since I created it in the root VDOM, it only appears in the root VDOM. Doesn't show up in Global VDOM

seshuganesh

Hi Team,

 

I replicated this in lab and i was able to reproduce the issue.

Please follow these steps:

In my lab environment i have three antivirus profiles which are attached to global VDOM, i have to disable this setting in anti virus profile "set external-blocklist-enable-all enable", only then i was able to delete the malware feed.

config global

config antivirus profile

edit g-wifi-default----you have to do this for all AV profiles

set external-blocklist-enable-all disable

end

Hope it is clear

pminarik

Check them in the CLI, especially check for the option "external-blocklist-enable-all", as I wrote in my initial reply, and as @seshuganesh is trying to highlight below.


This option seems to be enabled by default, and it seems to be blocking the deletion (at least it did for me). 

[ corrections always welcome ]
Tim-Berland
New Contributor

Thank you so much @pminarik ! 
"show full-configuration | grep -f external-blocklist-enable-all" did show me where to look, there was an AV profile not visible in GUI that had it enabled .... Nice "Feature" :clown_face:
Have a great day !

PaulRoberts

Just ran into this issue myself, with a side order of it actually being caused by the Fortimanager deciding it doesn't believe in the existence of any malware threat feeds after an update (7.2.4->7.2.5), so it tries to delete the malware feeds out of the appliance and breaks the push.  Yay.

So, should someone encounter this, it's not an ideal solution but you'll basically have to make a script in the Fortimanager that goes into 'config antivirus profile' and does a 'set external-blocklist-enable-all disable' for each profile, then 'config system external-resource' and delete the affected malware feeds (yes this sucks), and then back through the antivirus profiles again to switch them back.  Optionally one may re-add the external resources in a second script which should be run after policy changes (because the policy changes won't be possible while the Fortimanager continues to disbelieve in the existence of malware thread feeds), but frankly this is a giant PITA and not exactly a great look to have to disable a chunk of functionality because the Fortimanager doesn't believe in it.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors