This article describes how to troubleshoot the ‘Threat feed update failed’ error when the feed list is configured.
Scope
FortiGate v7.2.0 and later, v7.4.0 and later.
Solution
After the ‘Threat feed’ is configured according to the link:
Threat feeds
If the connection to the URL fails, then the error is shown on the GUI:
To validate the connection by CLI it is necessary to run the debug:
diagnose debug application forticron -1 diagnose debug console timestamp enable diagnose debug enable
Next, a threat-feed refresh is needed. It could be accomplished by one of the following commands:
diagnose test application forticron 8 <----- Reload external resource. execute update-external-resource <threat-feed name> <----- Only the requested threat-feed will be updated.
After executing one of the above commands, forticron debug will show the following messages:
2024-07-24 12:35:50 2674-init-as: fd=-1 name='ext-053825ae-4937-51ef-6016-f8976124c21a' feed_name='ext-root.IOC-SISAP' http_1=0 loc=0 state=send.body info=0-None chunk=0 content-0=0 etag=0 csum=0 done=0 closed=0 sync-0(len=0 note=0 err=0) buf-1(sz=8192 data=0 free=8192 pos=0 end=0 max=134217728) 2024-07-24 12:35:50 http_request_make()-2155: HTTP request: http GET /IoC/ExternalThreats/threats.txt HTTP/1.1 Host: 192.168.13.21 User-Agent: curl/7.58.0 Accept: */* Connection: close 2024-07-24 12:35:50 http_request_make()-2190: fcron_get_addr(192.168.13.21) 2024-07-24 12:35:50 __http_resolv_cb()-1970: fos_epoll_add(22) 2024-07-24 12:35:50 __update_ext()-248: Updating EXT 'IOC-SISAP' with HTTP 2024-07-24 12:35:50 fcron_timer_func()-32: Timer ext_upd done 2024-07-24 12:35:50 fcron_epoll_before_handle()-264: BEFORE WRITE fd 22 handle event 0x04 write 0xd907d0 epoll events 0x04 2024-07-24 12:35:50 __http_connect()-1865: tcps_connect(192.168.13.21) is established. … 2024-07-24 12:35:50 fcron_epoll_after_handle()-280: AFTER WRITE ret 0 2024-07-24 12:35:50 fcron_epoll_before_handle()-260: BEFORE READ fd 22 handle event 0x01 read 0xd906a0 epoll events 0x01 2024-07-24 12:35:50 __http_recv()-1795: Server [192.168.13.21:80]: read=428 data=428 free=7764 2024-07-24 12:35:50 2674-Loop-handle: fd=22 name='ext-053825ae-4937-51ef-6016-f8976124c21a' feed_name='ext-root.IOC-SISAP' http_1=1 loc=0 state=recv.header info=0-None chunk=0 content-0=0 etag=0 csum=0 done=0 closed=0 sync-0(len=0 note=0 err=0) buf-1(sz=8192 data=428 free=7764 pos=0 end=428 max=134217728) 2024-07-24 12:35:50 2674-__http_recv_handle_header: fd=22 name='ext-053825ae-4937-51ef-6016-f8976124c21a' feed_name='ext-root.IOC-SISAP' http_1=1 loc=0 state=recv.header info=0-None chunk=0 content-0=0 etag=0 csum=0 done=0 closed=0 sync-0(len=0 note=0 err=0) buf-1(sz=8192 data=428 free=7764 pos=0 end=428 max=134217728) 2024-07-24 12:35:50 __http_recv_handle_header()-1419: HTTP/1.1 404 Not Found Date: Wed, 24 Jul 2024 18:35:50 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips Content-Length: 229 Connection: close Content-Type: text/html; charset=iso-8859-1 2024-07-24 12:35:50 __http_recv_handle_header()-1435: response code is 404 2024-07-24 12:35:50 __http_recv_handle_header()-1450: Try with HTTP 1.0 2024-07-24 12:35:50 __set_next_retry_time()-225: Next update for ext 'IOC-SISAP' fires in 0 seconds 2024-07-24 12:35:50 ext_update_result()-339: HTTP result=4: __http_recv_handle_header() Try again with HTTP 1.0 2024-07-24 12:35:50 2674-__http_stop: fd=22 name='ext-053825ae-4937-51ef-6016-f8976124c21a' feed_name='ext-root.IOC-SISAP' http_0=1 loc=0 state=recv.body info=0-Resource not found chunk=0 content-0=0 etag=0 csum=0 done=0 closed=0 sync-0(len=0 note=0 err=0) buf-1(sz=8192 data=428 free=7764 pos=0 end=428 max=134217728) 2024-07-24 12:35:50 __http_stop()-734: Close http connect: response code not Accept
After the TCP (three-way handshake) is completed to the web server 192.168.13.21, the FortiGate (HTTP client) sends the ‘HTTP GET’ to obtain the threat feed information for the URL.
The web server responds with the HTTP error code 404 which means that the server could not find the client-requested webpage/URL.
When the connection is successful, after the HTTP GET request, the server will respond with the HTTP 200 OK:
HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 19:53:46 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips Last-Modified: Thu, 25 Jul 2024 19:51:48 GMT ETag: "8c-61e17b9b2678e" Accept-Ranges: bytes Content-Length: 140 Connection: close Content-Type: text/plain; charset=UTF-8
And FortiGate will updatethe threat feed list:
2674-Remove-header: fd=22 name='ext-053825ae-4937-51ef-6016-f8976124c21a' feed_name='ext-root.IOC-SISAP' http_1=1 loc=0 state=recv.body info=0-None chunk=0 content-1=140 etag=0 csum=0 done=0 closed=0 sync-0(len=0 note=0 err=0) buf-1(sz=8192 data=140 free=8052 pos=0 end=140 max=134217728) 2674-__http_recv_handle_body: fd=22 name='ext-053825ae-4937-51ef-6016-f8976124c21a' feed_name='ext-root.IOC-SISAP' http_1=1 loc=0 state=recv.body info=0-None chunk=0 content-1=140 etag=0 csum=0 done=0 closed=0 sync-0(len=0 note=0 err=0) buf-1(sz=8192 data=140 free=8052 pos=0 end=140 max=134217728) 2674-__http_recv_handle_body_done: fd=22 name='ext-053825ae-4937-51ef-6016-f8976124c21a' feed_name='ext-root.IOC-SISAP' http_1=1 loc=0 state=recv.body_done info=0-None chunk=0 content-1=140 etag=0 csum=0 done=0 closed=0 sync-1(len=140 note=0 err=0) buf-1(sz=8192 data=0 free=8192 pos=0 end=0 max=134217728) load_ext_ip_line()-2127: invalid ip range 34.25.871 < --- ext_entry_count_write()-349: 053825ae-4937-51ef-6016-f8976124c21a: wrote 12 entries to file <--- ext_csum_write()-893: ext-053825ae-4937-51ef-6016-f8976124c21a: csum='c0097e05f5ba5bf670f987c983f2a0c7' ext_update_result()-339: HTTP result=0: Succ ext_http_etag_write()-829: ext-053825ae-4937-51ef-6016-f8976124c21a: etag='"8c-61e17b9b2678e"' ext_file_sync()-1250: update done: tag=1 2674-before-init: fd=22 name='ext-053825ae-4937-51ef-6016-f8976124c21a' feed_name='ext-root.IOC-SISAP' http_1=1 loc=0 state=recv.body_done info=1-Succ chunk=0 content-1=140 etag=0 csum=0 done=1 closed=0
This status will be shown on the FortiGate GUI:
