Skip to main content
romgo
romgo
New Member
December 30, 2020
Question

FortiGuard firewall rule

  • December 30, 2020
  • 1 reply
  • 6780 views
Hi,   My firewall (running 6.2.6) is directly connected to Internet. We have an IPS license and I figured out that IPS update failed silently.   Looking at the logs I see that the fortios trying to reach some random ip at fortiguard. First I created a rule as follow :   src : firewall dst : update.fortiguard.net  & service.fortiguard.net service : https   but this was not enough.   I can see traffic towards those IPs : 12.34.97.16     96.45.33.85     96.45.33.106     173.243.132.64     173.243.138.69     173.243.138.210     206.47.184.1     206.47.184.6     208.91.113.75     208.91.113.109     208.91.113.184     209.222.136.6   I would like to be able to specify the destination properly, because currently destination is ALL.   Thanks

    1 reply

    emnoc
    emnoc
    New Member
    December 30, 2020

    You don't need a rule for the fortigate to get to the fortiguard site(s)

     

    1: did you try to ping  them "execute ping x.x.x.x"

     

    2: did you run any diag debug flow 

     

    3: are you 100% sure the unit is licensed and registered correctly

     

     diag debug application update -1 

     diag debug enable 

     execute update-now

     

    4: if you done all of the above and ensure that no upstream device is filtering you, open a ticket with support

     

    Ken Felix

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    December 30, 2020

    Since you have support, open a ticket is probably the quickest to solve your problem. But I just wanted to add two more commands to Ken's debug commands to check the updates:

      diag autoupdate status

      diag autoupdate versions

    Then, wanted to remind you that you need to have at least one policy using IPS to get the attack definitions or attack extended definitions updated. Otherwise, updates won't happen even it's enabled.

    emnoc
    emnoc
    New Member
    December 30, 2020

    Then, wanted to remind you that you need to have at least one policy using IPS to get the attack definitions or attack extended definitions updated. Otherwise, updates won't happen even it's enabled.

     

    I think that behavior have change over the last few years with IPS-ETDB  will not update , but IPS-DB and IPS malicious URL Database will.  Just wanted to point that out.

     

    For the OP one more item to check is you logs

     

       execute log filter category 1

       execute log display 

     

     

    Wait like a few seconds for the display the logs after you do "execute update-now" and the logs will show you pass fail and what fortiguard server you hit. Depending where your at it's probably going to be 173.243.xxx.xxx 

     

    if your in a pinch , you can login find your IPS update and manually download and upload to the fortigate.

     

    Ken Felix

    Terms & ConditionsAccessibility statement