Fortiguard Troubleshooting

[Benita Vandervoort]

AV/IPS updates only] The FortiGate uses port 443 (same as HTTPS) to do AV and IPS updates. The system time needs to be set correctly so the SSL layer works correctly. Make sure system time is set correctly by going to System >Dashboard > Status > "System Information" Widget > System Time. Select [Change] to edit the system time or synchronize it to an NTP server.

If the problem has still not been resolved, open a ticket with Fortinet support to assist with troubleshooting. Please include the outputs of the debug commands that have already been performed.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

1st Step: Make sure the unit has a Valid Contract and Web Filter subscription.

FortiGuard Web filtering is a subscription service.

If the subscription has expired FortiGuard web filtering will stop functioning and effectively give a rating error for every website accessed.

If this is the case, technical support cannot alter contract details.

Contact the Fortinet Customer Service department for issues regarding the contract status.

Test #1: Is the service enabled? Make sure that at least one firewall policy has a Web Filter and SSL/SSH Inspection profile enabled.

Run this CLI command in FortiGate CLI or Console in GUI:

If this test fails: the problem is DNS related.

Try using a different DNS server until this test can resolve.

Note:

Some ISPs and networks block ICMP (ping) traffic.

This should be taken into account before considering the test to have failed.

The important part of this test is that the unit successfully resolves an FQDN to an IP, not that the ping succeeds.

If the Test is successful, proceed to Test #4.

Test #4: Can the FortiGate resolve a specific hostname?

In the default configuration, the unit needs to be able to resolve 'service.fortiguard.net', 'update.fortiguard.net', and 'guard.fortinet.com' to an IP to have FortiGuard web filtering function correctly. From the command line on the FortiGate:

FortiGate receives the most recent threat intelligence from FortiGuard. FortiGuard Distribution Network (FDN) provides it through data centers located in North America, Europe, and Asia. FortiGate can connect based on server load or choose to connect to the closest location. Through the FDN, FortiGuard offers many services, all of which need a license.

Live querying is carried out by features that use category-based filtering, such as the Web Filter and DNS Filter. Each request must be checked against FDN to determine the appropriate category of the domain being requested. To boost efficiency, the URL/domain classification is cached.

The category dictates whether the connection is refused or authorized, depending on the action defined for the category in the relevant Security Profile. If anycast is enabled, it connects to globalguardservice.fortinet.net, otherwise to service.fortiguard.net. It communicates via TCP port 443 with anycast enabled.

However, if anycast is disabled, this can be changed to utilize the UDP port 53/8888. If the location is specifically configured to connect to the United States, for example, the connection is forwarded to usguardservice.fortinet.net. Live querying necessitates continuous connectivity to FDN and a valid service license.

If live queries to categorize a URL fail, site access is blocked by default. This could be due to connectivity issues with FDN/FortiGuard or an expired web filter service license. End users may encounter an error in the browser as shown below.

The above implies that the web filter license is under contract and enabled. With anycast enabled, communication goes through port 443. If there is a connectivity issue, the 'Curr Lost' figure will continue to increase. The 'RTT' indicates the round trip time.

Accordingly, a weight is allocated. A server is picked based on its weight and RTT values.

For a thorough understanding of how a certain server is selected from the list, see Troubleshooting Tip: Resolving FDS Communication Issues (FortiGuard Distribution Servers).

When anycast is enabled, the connection to globalupdate.fortinet.net is made via TCP port 443. If anycast is disabled, it connects to update.fortiguard.net also via TCP port 443. There are several package objects available such as IPS, AV, Internet Service, Device and OS Identification, and IP Geography databases.

The various packages and services which gets verified when running execute update-now can be reviewed in the article Technical Tip: Deciphering FortiGuard database abbreviations and subscriptions/services.

AV and IPS packages are signed by the Fortinet CA to ensure the authenticity of the packages before using the packages. During automatic updates, only signed and validated packages are accepted. During manual package updates, the following applies:

The example shown above demonstrates various options to update packages. The IPS engine and IPS Database are updated using the same 'Action' tab against IPS. This is the same case for AV engines and AV databases as well.

Not all package updates can be done from GUI the Industrial DB is such an example. Older firmware might show the feasibility of IPS and AV alone to be updated from GUI. Other package updates need to be done from the CLI.

A schedule of once a week means any urgent updates will not be pushed until the scheduled time. If an urgent update is required, select the Update Licenses & Definitions Now button to manually update the definitions.

The default FortiGuard access mode is Anycast. It enforces SSL connections on port 443 and validates them using the OCSP (Online Certificate Status Protocol) stapling check. FortiGate gets a single IP for the domain name of each FortiGuard service. It improves routing efficiency by connecting to the nearest server. With Anycast enabled, FortiGate terminates a connection with FortiGuard if any of the following conditions apply:

In multi-VDOM mode, users can choose from which VDOM FortiGuard services and updates are initiated, instead of being locked to the management VDOM. However, this is possible only from firmware version 7.2 or above.

The SD-WAN rule will only take effect once the interface-select-method is set to SD-WAN. The same can be done from Local-Out-Routing: go to Network -> Local Out Routing to configure the available types of local out traffic.

By default, Local Out Routing is not visible in the GUI. Go to System -> Feature Visibility to enable it. From the CLI, the interface-select-method can be chosen as SD-WAN.

Make sure that the IP being used is routable/reachable within the network. A random IP cannot be configured or used as a source IP for FortiGuard connectivity, and the IP being used as the source should belong to an interface on FortiGate.

All devices that are part of HA should have a valid contract. If one device does not have a valid license, then HA will show that the cluster does not have a valid license. If the license is different, the cluster reflects the lowest-level license.

When fmg-update-port is set to 443, the update process will use port 443 to connect to the override update server, which is the local FortiGuard server in the FortiManager. If this is not set, the update process will use port 8890.

FortiGate sends to the proxy server an HTTP CONNECT request that specifies the IP address and port required for the FDN connection. The proxy server establishes the connection to FDN and passes information between FortiGate and FDN.

Packet capture can also be initiated to validate the connection if a TCP or SSL connection error is seen in the debug trace. The capture should be filtered using the IP seen in the update daemon debug trace.

This highlights an issue related to SSL connection. Check if any SSL inspection is done upstream. Packet capture also helps to verify if the SSL handshake is being completed successfully. Alternatively, disable anycast and use UDP port 53/8888.

If a license that should be active is not currently available, you can use the following steps to troubleshoot your connection. After each troubleshooting step, go to System > FortiGuard to check if the licenses are now shown as available.

Most critical of them is Web Filter rating query - if your Fortigate cannot get answer what category the web site belongs to, access to this web site will be blocked by default. It means that if for any reason Fortigate cannot reach Fortiguard servers and it has security rules with Web Filtering by Category configured - those rules will BLOCK users access to ANY website, not just malicious ones.

First, check status of license/subscription and FortiGuard connection status in System -> FortiGuard - the Web Filtering status should be in green. This checks subscription license status, but not always detects connection to the FortiGuard status. If you see it red, it is most probably a license/subscription issue to be checked with Fortinet TAC, as subscription checks are done once in a while and are cached. To check actual connectivity to the FortiGuard servers - on the same page, under Filtering subsection, there is Test Connectivity button to push. It should return status as Up/green. Also pay attention to the widget on the same page in the right bottom corner FortiGuard Filter Rating Servers, it shows real time stats and IP addresses of the servers the Fortigate is trying to reach. If timings are unusually high and in red, there could be network connectivity problem, we will look at next.

3a8082e126