OpenDXL ATD Fortinet

  • mohl1 added a new solution:


    McAfee Advanced Threat Defense (ATD) will produce local threat intelligence that will be pushed via DXL. An OpenDXL wrapper will subscribe and parse IP indicators ATD produced and will automatically update Firewall rules.

    McAfee Advanced Threat Defense (ATD) is a malware analytics solution combining signatures and behavioral analysis techniques to rapidly identify malicious content and provides local threat intelligence. ATD exports IOC data in STIX format in several ways including the DXL.…anced-threat-defense.aspx

    Fortinet Firewalls provide high performance network security protection platform.…-generation-firewall.html

  • Hi, i setup everything as it should be but i still get error messages and the Adress-Group will not be generated.

    /usr/local/lib/python2.7/dist-packages/requests/packages/urllib3/ InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See:…d-usage.html#ssl-warnings


    LOGIN successful

    Traceback (most recent call last):

    File "", line 180, in <module>

    host = sys.argv[1]

    IndexError: list index out of range

    Related to the account needed at the fortigate ... do we need a REST Admin Account (wioht pki and API Key) or do we need a simple user account with some rights?

  • We have contacted the solution developer over this issue, if there is indeed a bug or some other problem (documentation, perhaps) it should be addressed in the near future.

    In the meantime, you can protect against this error by checking the length of the command line arguments supplied to the script to handle the problem gracefully. For example:

    1. if __name__ == "__main__":
    2. fgt = FGT(fgt_ip)
    3. fgt.login(user,pw)
    4. if len(sys.argv) <1:
    5. # ---> Handle the scenario here <---
    6. else:
    7. host = sys.argv[1]
  • Hi Christoph,

    thanks for your post. How do you execute the scripts? The main purpose for the scripts is to receive the ATD DXL message and extract C2 communication.

    First you execute the . This will start a ATD subscriber that will wait for DXL messages from ATD.

    As soon there is a DXL messages published, it will extract C2 communication and execute the script with the ip.

    Here some more details.

    1. try:
    2. # Get Destination IP and push to Fortinet
    3. ips = query['Summary']['Dst IP']
    4. if not ips:
    5. pass
    6. else:
    7. ipv4 = ips
    8. print ipv4
    9. os.system('python ' + ipv4)
    10. except: pass

    In line 39 you see that the script executes the script incl. the first argument (in this case the IP).

    You can also execute the script directly e.g.


    Please let us know how it goes.


  • May I have some more detail on the Integration of DXL with fortinet Firewall.

    As Its confusing me phyton script need to run on ATD or DXL . Can anyone share me setp by step configuration

  • hi Mohl, Ncolter,

    i've setup the entire thing with an ATD Trial and let our developer adjust some code in the "" to log to a seperate file.

    When i execute for example "ransomware petya" in our ATD we receive allot of information in our log, but the BadIPList on the fortigate isn't updated. I also don't see the startup of the file "" in our log

    In the analyzer profile on the ATD i disabled "Enable Malware Internet Access" for security reasons. We don't have a seperate internet breackout for testing.

    My question:

    Does an analyzer profile with dynamic analyze options enabled, capture network traffic of a threat with "Enable Malware Internet Access" disabled?

    I presume the virus petya contains some Public IP's for C&C which needs to be pushed to the Fortigate


    forti_push allready tested with "python" and this works



  • Hi Christophe,

    In the 'atd_subscriber.txt' file that you attached, it appears that the ATD file report does not include a non-empty value for the "Dst IP" (see…1.0/ or "Ips" (see

    For example:



    "Summary": {


    "Dst IP": "",

    Since no IPs are present in the report, it appears that the "atd_subscriber" script would not try to run the "" script.

    I don't immediately have any explanation as to why the the ATD report would not include any IP address information. Maybe Martin or Nolan would have an idea about this? Is there some other action with ATD that you might be able to trigger which would include IPs in the report to see that the basic Python script integration with Fortinet is functioning properly?

  • Hi Christophe,

    looks like that atd_subscriber and the work fine.

    Seems that there are no IPs identified during the ATD analysis process hence the didn't get executed.

    I've attached a DXL message from my ATD appliance (sample.txt). You can see in the DXL message the IP address that I am parsing out with the script to update Fortinet. My ATD has the following analyzer profile configured:

    My guess is that the "Enable Malware Internet Access" needs to be enabled to receive network information like IPs / URLs. I will get this confirmed by one of our Technology Specialist for ATD and provide you with an update.

    All the best,



    • sample.txt

      (11.89 kB, downloaded 864 times, last: )