Hi Christophe,
looks like that atd_subscriber and the forti_push.py work fine.
Seems that there are no IPs identified during the ATD analysis process hence the forti_push.py didn't get executed.
I've attached a DXL message from my ATD appliance (sample.txt). You can see in the DXL message the IP address that I am parsing out with the script to update Fortinet. My ATD has the following analyzer profile configured:
My guess is that the "Enable Malware Internet Access" needs to be enabled to receive network information like IPs / URLs. I will get this confirmed by one of our Technology Specialist for ATD and provide you with an update.
All the best,
Martin