Skip to main content
vchauhan
Staff
vchauhan
Staff
September 8, 2015

Technical Tip: FortiWeb to FortiGuard connectivity troubleshooting

  • September 8, 2015
  • 0 replies
  • 2927 views

Description

 

This article provides a few basic troubleshooting steps if there are difficulties establishing the connection.

The steps required to connect to FortiGuard services are clearly explained in the FortiWeb Administration Guides, which are available in the Fortinet Document Library
 
Scope
 
FortiWeb, FortiGuard.


Solution

 

If there are difficulties in establishing the connection to FortiGuard and receiving updates, try an 'exec update-now' and wait at least an hour to be safe. If that does not work, proceed to the next steps.

 

  1. Is there a static route on the FortiWeb to direct traffic to the upstream gateway?

  2. Have the FortiWeb service contract(s) been registered on the support site for this unit? Keep in mind that the FortiWeb Security Service and antivirus Service are sold separately.

  3. Is there an upstream device that is performing NAT? If in reverse-proxy mode, it is recommended that a NAT device be upstream.

  4. Can the FortiWeb ping an external IP? 


execute ping service.fortiguard.net <----- UDP port 53, 8888; UDP and worldwide servers.
execute ping securewf.fortiguard.net <----- HTTPS over port 443, 53, 8888; HTTPS and worldwide servers.
execute ping update.fortiguard.net <----- TCP port 443.
execute ping usupdate.fortinet.net <----- TCP port 443.
execute ping usservice.fortiguard.net <----- UDP and USA-based-only servers.
execute ping ussecurewf.fortiguard.net <----- HTTPS and USA-based-only servers.  

execute ping 8.8.8.8

 

  1. Is the flash okay? Check the crashlog (diagnose debug cr re) and console output during reboot. May see output like this:

 

failed to create crash file: Read-only file system
miglog_disk_create_upload_dir error

 

If that is the case, backup the config if at all possible and try formatting the flash, reloading the firmware and config, and try again.

 

  1. Check the disk usage, particularly for /var/log:


diagnose system mount list

 

If usage is high, for example, 99%, format the log disk (this will require a reboot).

 

  1. Perform a sniffer to see if the 443 and port 53 traffic is only egress and not ingress. Both these ports are required for FortiGuard services to work.

     

  2. Make sure the firmware is at least firmware.

     

  3. Try FDS debugging:

 

diagnose debug application fds 7

diagnose debug application updated 7
diagnose debug enable

 

FortiGuard updates use port 443 on the FortiWeb. Disable SSL inspection and certificate replacement on the firewall.

 

Related document:
Connecting to FortiGuard services

    Terms & ConditionsAccessibility statement