Technical Tip: FortiGuard flags and meanings

To check the connectivity between the FortiGate and FortiGuard Web Filter rating servers, use the command diagnose debug rating or get webfilter status. For each IP address entry, the command will include the following statistics in the output:

• Weight: Dynamically assigned value based on successful vs. failed packets sent to the server.
• RTT: Round-trip delay.
• Flags: (See section below).
• TZ: Server time zone.
• FortiGuard-Requests: Total number of queries sent from the FortiGate to this server.
• Curr Lost: The number of recent and consecutive queries that have not received a server reply.
• Total lost: The historical total number of queries without reply; these values reset when the device restarts.

Based on these statistics, the FortiGate uses the following method to determine which server should be contacted for Web Filter rating requests:

• The FortiGate initially uses the delta between the server time zone and the FortiGate system time zone multiplied
  by 10 to set the initial weight of the server (a lower weight value is better). To reduce the possibility of using a geographically distant server, the weight is not allowed to drop below the initially calculated value.
• The weight value increases with each lost web rating request, and likewise, it goes down over time with each successful web rating request.
• The FortiGate orders the available server entries from lowest weight to highest weight (the topmost entry is preferred). If two or more servers have the same weight, then the FortiGate uses the lowest round-trip time (RTT) as a tie-breaker.
• If load balancing is enabled, then the FortiGate selects multiple servers to use for Web Filter rating requests (see also: Technical Tip: How to enable load balancing for FortiGuard Webfilter Rating requests on the FortiGate).

The following screenshot shows sample output taken from the diagnose debug rating, with the Flags section being highlighted:

The following are explanations for the flags that can appear in this section of the command output:

• I=Initial: The server was initially contacted to validate the license and retrieve the list of FortiGuard rating servers. Usually, there is only one server with this flag.
• D=Default: Indicates that this server was retrieved by the FortiGate resolving the FortiGuard web rating FQDN via DNS. For more info on these FQDNs, refer to the following documentation: Anycast and unicast services.
• S=Serving: IP address of rating servers received via FortiManager.
• T=Timing: Indicates that the FortiGate has sent a NOOP request to the server and is currently waiting for a response. This request is done every two minutes to check reachability, and if the server does not reply after 15 seconds, then it is considered to be unreachable/failed.
• F=Failed: The server has not responded to queries or reachability checks and is considered to be unreachable/failed.

Related articles:

Troubleshooting Tip: Resolving FDS Communication Issues (FortiGuard Distribution Servers)

Troubleshooting Tip: Unable to connect to FortiGuard servers

Technical Tip: FortiGuard Overview and Troubleshooting