FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
mforbes
Staff
Staff
Description
This article describes the host IP and ports used by FortiClient for AV, Web Filter and Vulnerability Scan Updates.
Additionally it shows the ports used when FortiClient communicates with either a FortiClient EMS or a FortiGate.

Solution
For normal operation, FortiClient requires connection to the Internet without any UTM restrictions.

FortiClient uses the following ports when in operation:
  -  Port TCP/53 - DNS
  -  Port TCP/80 -  To contact forticlient.fortinet.com for list of available update servers.
  -  Port TCP/443 - To establish secure communication to nearest available update server.
  -  Port UDP/8889 - To retrieve AntiVirus & Vulnerability Signatures.
  -  Port UDP/8888 - To send/receive Web Filtering Rating queries.
  -  Port TCP/8013 - To register to FortiGate or FortiClient EMS.
  -  Port TCP/8014 - To send large data files to FortiClient EMS.
 
The following steps can be used when FortiClient fails to update its AV / Vulnerability signatures. 

Note: AntiVirus Signatures and Vulnerability CVEs updates use port UDP/8889 for transfer. Communication between Client and Server is SSL encrypted.

1. Trigger a manual update

Open the FortiClient Console.
Go to Help/About.
The Status column should state "Up-to-date" with the current version, not the "update failed" message.


mforbes_updates.png

2. Verify Server Availability

Navigate to C:\Program Files (x86)\Fortinet\FortiClient\vir_sig.
Verify that the "fdni.conf" file exists.

If there is no file, then FortiClient might not have external access.
If the file exists, edit to display servers available for updates. Updates will be retrieved from the closest time zone:
========================================================================
SerialNumber=FPT-FCS-DELL0035|Address=96.45.33.105:443|FDNListener=96.45.33.105:8889|TimeZone=-8
SerialNumber=FPT-FCS-DELL0036|Address=96.45.33.106:443|FDNListener=96.45.33.106:8889|TimeZone=-5
SerialNumber=FPT-FCS-DELL0038|Address=173.243.138.109:443|FDNListener=173.243.138.109:8889|TimeZone=-8
SerialNumber=FPT-FCS-DELL0039|Address=173.243.138.110:443|FDNListener=173.243.138.110:8889|TimeZone=-8
SerialNumber=FPT-FCS-DELL0043|Address=173.243.138.98:443|FDNListener=173.243.138.98:8889|TimeZone=-8
SerialNumber=FPT-FCS-DELL0044|Address=173.243.138.99:443|FDNListener=173.243.138.99:8889|TimeZone=-8
SerialNumber=FPT-FCS-DELL0045|Address=173.243.138.100:443|FDNListener=173.243.138.100:8889|TimeZone=-8
SerialNumber=FPT-FCS-DELL0046|Address=173.243.138.101:443|FDNListener=173.243.138.101:8889|TimeZone=-5
SerialNumber=FPT-FCS-DELL0047|Address=173.243.138.102:443|FDNListener=173.243.138.102:8889|TimeZone=-5
SerialNumber=FPT-FCS-DELL0048|Address=173.243.138.103:443|FDNListener=173.243.138.103:8889|TimeZone=-5
SerialNumber=FPT-FCS-DELL0052|Address=173.243.138.107:443|FDNListener=173.243.138.107:8889|TimeZone=-5
========================================================================
3. Troubleshoot FortiClient

Open the FortiClient Console.
Under Help/About, run the FortiClient Diagnostics tool.
 
If access is restricted:
  -  On the Task Bar, right-click on the green FortiClient icon, select About FortiClient from the Menu, or
  -  Go to C:\Program Files (x86)\Fortinet\FortiClient, right-click "FortiClient_Diagnostic_Tool.exe", run as Administrator.

Open the "Diagnostic_Result.cab" archive output.
Locate and extract the "CheckUPdate.xml" file.
Click and open file.

If under the 'ERROR msg' section it shows 'failed', then there are connectivity issues:
============================================================
<?xml version="1.0" encoding="UTF-8" ?>
<CheckUpdate serial_number="" server_addr="forticlient.fortinet.net" port="80">
<ResolvedServerIP addr="forticlient.fortinet.net">
<ServerIP ip="208.91.112.140" />
<ServerIP ip="208.91.112.141" />
<ServerIP ip="96.45.33.105" />
<ServerIP ip="96.45.33.106" />
<ServerIP ip="208.91.112.132" />
<ServerIP ip="208.91.112.134" />
<ServerIP ip="208.91.112.136" />
<ServerIP ip="208.91.112.139" />
</ResolvedServerIP>
<RequestList>
<Object id="00000000FSCI00000000000000000000" />
<Object id="00000000FDNI00000000000000000000" />
<Object id="01000000FECT00000" />
</RequestList>
<ERROR msg="FR_connect() failed" ret="-1" err="0" />          <-------------------- connection error
<ERROR msg="FCP_send_request() failed" ret="-1" err="0" />    <-------------------- connection error
<ERROR msg="FCP_recv_response() failed" ret="-1" err="0" />   <-------------------- connection error
<ResponseList num="0" />
</CheckUpdate>
============================================================
Output File Location: C:\users\%username%\AppData\Local\Temp\Diagnostic_Result\Diagnostic_Result.cab
============================================================
4. Troubleshoot External Access

To verify if FortiClient has external access, open an ssh client CLI to the FortiGate.
Type the following:
# diag sniffer packet any 'net 96.45.33 or net 173.243.138' 4
Check if there are any return packets:
# diag sniffer packet any 'net 96.45.33 or net 173.243.138' 4
interfaces=[any]
filters=[net 96.45.33 or net 173.243.138]
9.087183 internal in 192.168.1.102.52518 -> 173.243.138.98.80: syn 931581186
9.087183 lan in 192.168.1.102.52518 -> 173.243.138.98.80: syn 931581186
9.087556 wan1 out 172.17.97.156.52518 -> 173.243.138.98.80: syn 931581186
9.088073 wan1 in 173.243.138.98.80 -> 172.17.97.156.52518: syn 489986034 ack 931581187
9.088252 lan out 173.243.138.98.80 -> 192.168.1.102.52518: syn 489986034 ack 931581187
9.088287 internal out 173.243.138.98.80 -> 192.168.1.102.52518: syn 489986034 ack 931581187

Summary

FortiClient first needs to be able to resolve forticlient.fortinet.net and reach it via port 80.
Telnet to any of the above server IPs, with port 8889.  (ie. telnet 208.91.112.141 8889)
If you can connect, FortiClient should be able to update all AV/Vulnerability signatures.

Related Articles

Technical Note: Traffic Types and TCP/UDP Ports used by Fortinet Products

Contributors