| Before contacting Technical Support, verify the following settings: - A valid DNS server has been configured for the FortiGate unit. Try the CLI command exec ping service.fortiguard.net. The FortiGate should be able to resolve the DNS name to an IP. Note that if a host behind the FortiGate can resolve the DNS name does not necessarily mean that the FortiGate can, since the two can be configured with different DNS servers.
- The FortiGate unit has a valid default gateway set. Try pinging a public Internet address to test the default gateway.
- The FortiGate has to have at least one Firewall Policy with an Antivirus Profile applied; otherwise, it will never attempt to update the Antivirus Engine or Database.
Try the following connectivity tests: - Log in to the FortiGate CLI using a console cable or Telnet/SSH session.
- Verify that the FortiGate unit can contact the secondary Fortinet Distribution Network (FDN) server by pinging the server from the command line interface (CLI). Enter exec ping fds1.Fortinet.com. If the secondary server does not respond to the ping, confirm routing and DNS settings as described above.
- If the secondary server responds to the ping, the specific update traffic may be blocked in the network. In Transparent mode, the Management IP should be mapped to a routable IP.
- The IP must be reachable from the Internet. Set up a traffic analyzer on the management LAN segment and capture the traffic on this network during an attempted update.
Look for the following protocols, which the FortiGate unit uses to connect to the FDN: - TCP/443 port is used for the SSL connection to retrieve the updates.
- UDP/9443 is for receiving PUSH announcements.
- The FortiGate has a diagnose command to monitor the traffic on an interface. Enter:
diagnose sniff packet any 'port 9443'
After the sniffer has served its purpose, press Ctrl + C to stop it. Otherwise, it will run indefinitely.
Enter get sys time from the CLI to make sure that the certificates are not being invalidated by incorrect system time.
Enter get sys auto from the CLI. If the last update status is Unauthorized, the coverage may have expired.
- If any Antivirus profile is in use in the firewall policy, check FortiGuard settings for source-ip and add if it is missing.
config system fortiguard set source-ip x.x.x.x end Insert the LAN interface IP of the FortiGate that can connect to FortiGuard. Then do the update again with 'execute update-now' as follows: diagnose debug disable diagnose debug reset diagnose debug application update -1 diagnose debug enable execute update-now Once updates are completed, disable debug by: diagnose debug disable diagnose debug reset Run the following command to check if the antivirus Engine and Virus Definitions have been updated: diagnose autoupdate versions 
If the above does not help, contact support.
Contacting Fortinet Technical Support:
Prepare the following diagnostic information before contacting technical support. - Log in to the FortiGate CLI using a console cable or Telnet/SSH session.
- Run the following commands:
diagnose autoupdate versions diagnose autoupdate status diagnose debug reset diagnose debug application update -1 diagnose debug enable execute update-now <- This command will force an update for the debugging to generate output. - As an alternative to 'execute update-now', from the web-based manager, select Update Now on the system update page; this will have the same effect as the last command above.
- Once the output is generated, stop and reset all running debugs using:
diagnose debug disable diagnose debug reset - Capture the console session output into a file and attach it to the ticket, along with the configuration file, for review by the appropriate support team.
| 
