Skip to main content
phennes
phennes
New Member
September 28, 2015
Solved

Forticlient 5.09 stopped getting definition update

  • September 28, 2015
  • 15 replies
  • 23609 views

I have noticed on a handful of my Forticlient's stopped receiving virus definition updates.  The log states cannot obtain updates. Update server responded with unauthorized access.

 

Fortigate version 5.11

Forticlient version 5.09

 

I have also tried update one of the workstations to 5.2.4 and it still cant get updates.

 

Thanks

    Best answer by Chris_Lin_FTNT

    Sorry. What I meant was it shall be fixed in a further FortiClient release.

     

    You are right that 5.0.11 is not available. The latest is 5.0.10 and it has this bug.

    15 replies

    Chris_Lin_FTNT
    Staff
    Chris_Lin_FTNT
    Staff
    September 28, 2015

    Can you run from administrative command line: update_task.exe -s fd_01 , and paste the whole output here?

    emnoc
    emnoc
    New Member
    September 28, 2015

    Also what does you logs show for updates?

     

    Ken

     

    phennes
    phennesAuthor
    New Member
    September 28, 2015

    Here you go:

     

    C:\Program Files (x86)\Fortinet\FortiClient>update_task.exe -s fd_01 Software update status = -1 Initializing... serial: FGT90D3Z13007514 attempt 1 of 3 Serial number: FGT90D3Z13007514 Try to connect to server 96.45.33.101:80 Server using FCP ver 3.3 support FCT resume data_items: 00000000FSCI00000000000000000000*00000000FDNI00000000000000000000*05 001000FVEN00500-1.26-9999999999*05001000FVDB00500-6.696-9999999999*05000000FVDB0 0000-28.102-1509160608*05000000FVDB01300-28.83-1509151101*05000000FVDB01200-28.1 1-1509120908*05000000FVDB01400-28.102-1509160608*05000000FVDB00200-1.23-11032120 54*05000000FVDB00100-1.637-1311051411*05000000FVEN00100-5.220-9999999999*0500000 0FVEN00600-2.52-9999999999*05000000FVEN00800-5.9-9999999999*05000000FVEN00900-1. 383-9999999999 update process received object(1 of 3): FCPR00000 update process received object(2 of 3): FSCI00000 update process received object(3 of 3): FDNI00000 Now move object FDNI from obj_2_a09104__unpacked to C:\Program Files (x86)\Forti net\FortiClient\vir_sig\fdni.conf

    attempt 2 of 3 Serial number: FGT90D3Z13007514 Try to connect to server 96.45.33.99:80 Server using FCP ver 3.3 support FCT resume data_items: 00000000FSCI00000000000000000000*00000000FDNI00000000000000000000*05 001000FVEN00500-1.26-9999999999*05001000FVDB00500-6.696-9999999999*05000000FVDB0 0000-28.102-1509160608*05000000FVDB01300-28.83-1509151101*05000000FVDB01200-28.1 1-1509120908*05000000FVDB01400-28.102-1509160608*05000000FVDB00200-1.23-11032120 54*05000000FVDB00100-1.637-1311051411*05000000FVEN00100-5.220-9999999999*0500000 0FVEN00600-2.52-9999999999*05000000FVEN00800-5.9-9999999999*05000000FVEN00900-1. 383-9999999999 update process received object(1 of 3): FCPR00000 update process received object(2 of 3): FSCI00000 update process received object(3 of 3): FDNI00000 Now move object FDNI from obj_2_a09104__unpacked to C:\Program Files (x86)\Forti net\FortiClient\vir_sig\fdni.conf

    attempt 3 of 3 Serial number: FGT90D3Z13007514 Try to connect to server 96.45.33.105:80 Server using FCP ver 3.3 support FCT resume data_items: 00000000FSCI00000000000000000000*00000000FDNI00000000000000000000*05 001000FVEN00500-1.26-9999999999*05001000FVDB00500-6.696-9999999999*05000000FVDB0 0000-28.102-1509160608*05000000FVDB01300-28.83-1509151101*05000000FVDB01200-28.1 1-1509120908*05000000FVDB01400-28.102-1509160608*05000000FVDB00200-1.23-11032120 54*05000000FVDB00100-1.637-1311051411*05000000FVEN00100-5.220-9999999999*0500000 0FVEN00600-2.52-9999999999*05000000FVEN00800-5.9-9999999999*05000000FVEN00900-1. 383-9999999999 update process received object(1 of 3): FCPR00000 update process received object(2 of 3): FSCI00000 update process received object(3 of 3): FDNI00000 Now move object FDNI from obj_2_a09104__unpacked to C:\Program Files (x86)\Forti net\FortiClient\vir_sig\fdni.conf

    phennes
    phennesAuthor
    New Member
    September 28, 2015

    Here are what the logs say.

     

    9/28/2015 2:00:03 AM Notice Update id=96823 msg="Checking for updates." 9/28/2015 2:00:03 AM Notice Update id=96813 msg="Software updates are disabled." 9/28/2015 5:00:06 AM Notice Update id=96823 msg="Checking for updates." 9/28/2015 5:00:06 AM Notice Update id=96813 msg="Software updates are disabled." 9/28/2015 7:23:56 AM Notice Console id=96810 user= msg="Customer initiated a software update request." 9/28/2015 7:23:56 AM Notice Update id=96823 msg="Checking for updates." 9/28/2015 7:23:56 AM Notice Update id=96813 msg="Software updates are disabled." 9/28/2015 8:00:02 AM Notice Update id=96823 msg="Checking for updates." 9/28/2015 8:00:02 AM Notice Update id=96813 msg="Software updates are disabled." 9/28/2015 9:58:49 AM Notice Update id=96823 msg="Checking for updates." 9/28/2015 9:58:49 AM Notice Update id=96813 msg="Software updates are disabled."

    emnoc
    emnoc
    New Member
    September 28, 2015

    Did you make changes in your profile for the client? I would look at the following in your xml syntax;

     

       <update>             <use_custom_server>0</use_custom_server>             <server></server>             <port></port>             <failoverport>0</failoverport>             <fail_over_to_fdn>1</fail_over_to_fdn>             <update_action>notify_only</update_action>             <scheduled_update>                 <enabled>0</enabled>                 <type>interval</type>                 <update_interval_in_hours>1</update_interval_in_hours>             </scheduled_update>         </update>

     

     

    )  disable 1  enabled

     

    Also ensure fortiguard lookups are working, if it can't find the FGS than it can't acquire the updates. Also if you using any proxies , make sure they are allowing the updates.

     

    They the client asks for the update based on the list of fgs servers & needs access to these.

     

    e.g

    208.91.112.139 HTTP  /fdsupdate

     

     

    Ken

     

    emnoc
    emnoc
    New Member
    September 28, 2015

    If you unregister the  fortigate does the FClient work with gaining updates?

     

    phennes
    phennesAuthor
    New Member
    September 28, 2015

    Yes it works when I unregister it.  So does that indicate a issue with the Fortigate firewall?

    emnoc
    emnoc
    New Member
    September 28, 2015

    yes

     

    So is the FW active with a subscription license? And is updated?

     

    Please run diag debug app update -1 and then execute update-av

     

    Does this fail? Is the source-ip good ?

    phennes
    phennesAuthor
    New Member
    September 28, 2015

    I entered those commands on the fortigate and nothing happens

     

    The unit is up to date with Fortiguard subscriptions

    emnoc
    emnoc
    New Member
    September 28, 2015

    So that means resolution for FDS is working and the fortigate is working. So the million dollar questions, when the client is trying to update is it pull the update from FDS directly or via the fortigate?

    Since we know the client works unregistered, I believe the latter is involved. I'm scratching my head on what  to do but have you validate the forticlient is shown registered on  the fortigate?

     

    I would 1st check for FCT-access and make sure it was not removed AND if it was working previously.

    And then run some diagnostics

     

     

    diag debug  console timestamp enable

    diag debug reset

    diag debug  console timestamp enable

    diag debug en

    diag debug flow addr <enter client>

    diag debug flow show console

    diag debug flow trace start 100

     

    If the client can't registered that's a issue. And if it's registration is valid but everything else does not work that's another issue. Maybe  the following my shed some light;

     

    diag endpoint registration list

     

    Ken

    phennes
    phennesAuthor
    New Member
    September 28, 2015

    They seem to register fine and the FCT-access is enabled on the correct interface.  I should also mention that this is occurring at 4 other sites with the same firmware versions and it seemed it happened about the same time.

     

    Here is a output for  diag endpoint registration list   FortiClient #1 (0):     UID                      = ****************     vdom                     = root     status                   = registered     registering time         = Tue Jul 14 16:24:57 2015     registration expiry time = none     source IP                = 192.168.****     source MAC               = 00:25:*****     user                     = ****     host OS                  = Microsoft Windows 7 , 32-bit Service Pack 1 (build 7601)     restored registration    = no     local registration       = yes     remote registration SN   = local  

    I will work on the other commands in a bit.

    Chris_Lin_FTNT
    Staff
    Chris_Lin_FTNT
    Staff
    September 28, 2015

    FDS may have prevented registered 5.0 FortiClient to get AV signature. It's under investigation...

    Chris_Lin_FTNT
    Staff
    Chris_Lin_FTNT
    Staff
    September 28, 2015

    It turned out it's a recent FDS update that prevents FortiClient from using FortiGate SN to get AV signature. So it will require a FortiClient 5.0.11 to fix it.

    phennes
    phennesAuthor
    New Member
    September 28, 2015

    Ah OK.  I will get that updated and get back to you on the results.

     

    Thanks for getting that info

    Show more replies
    Terms & ConditionsAccessibility statement