FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
cvincent_FTNT
Description
After renewing a contract license or rebooting the FortiGate, the License information widget indicates that all or some of the services  are not available.

Scope
The purpose of this KB is to add additional commands and information to some of the steps provided in the following KB

License Information on Dashboard shows "Unreachable" or "Not Registered" after a FortiGate is reboo...


Solution

Below are steps you can take when the license information widget indicates that the registration and security services are unavailable.

1.    Run the following commands in the CLI to prompt the FortiGuard communications

diag debug app update -1
diag debug en
exec update-now

2.    Do you have a web profile applied to any policies?
• Often people are hesitant to do so because of the message that appears when they initially try to configure the web profile.
• Apply the Web profile to a internal to Wan policy
•Go to System > Status > License Information, click the refresh button on the top bar (hover mouse over it).

3.    If the registration/services do not appear after applying the profile to the policy and refreshing the License Information, go to:

• System > Config > FortiGuard > Web Filtering and Email Filtering Options

• Press Test Availability
•Go to System > Status > License Information, click the refresh button on the top bar (hover mouse over it).

4.    If the registration/services do not appear after pressing the test button go to:

• System > Config > FortiGuard > Web Filtering and Email Filtering Options
• Select to use the Alternate Port
• Press Test Availability
•Go to System > Status > License Information, click the refresh button on the top bar (hover mouse over it).

5.    If the registration does not appear after changing to Alternate Port, go to the CLI console

• try pinging the FortiGuard services URL

exec ping service.fortiguard.net

• If that resolves to an IP then type the following commands, if it does not resolve to an IP then this is a DNS issue.

diag debug application update -1
diag debug enable
exec update-now

• Go to System > Status > License Information, click the refresh button on the top bar (hover mouse over it).

6.     If you are using multiple VDOMS on the fortigate, make sure that you have an Internet-facing VDOM set as the managment vdom. Use the following commands to verify.

config system global
set management-vdom <vdom>   #<--- this VDOM should have Internet access
end

Then run the "update-now" command again.

7. If the issue is not resolved at this point, open a support ticket at https://support.fortinet.com/ and attach
a) your config file to a support ticket.
b) the cli output to the ticket as a text file.

For information on the ports used for FortiGuard communications please see the following information:

The FQDN is service.fortiguard.net

Related ports:

Encrypted Virus Samples auto submitted to FortiGuard - 25
DNS lookups - 53 UDP
FortiGuard Server List requests to FortiGuard - 53 UDP
AntiSpam or Web Filtering rating lookup queries to FortiGuard - 53 UDP or 8888 UDP
URL/AS rating lookup queries to FortiGuard - 53 UDP
Real-time Black List(RBL) lookup requests to RBL services - 53 UDP
Fortinet Device Registration to FortiGuard - 80
Firmware and Signature Downloads from FortiGuard - 443
FortiGuard Server List requests to FortiGuard - 1027 UDP / 1031 UDP
AntiSpam and Web Filtering rating lookups requests - 1027 UDP / 1031 UDP
AV/IPS Push / FortiGuard to FortiGate - 9443 UDP


Related Articles

Technical Note: Traffic Types and TCP/UDP Ports used by Fortinet Products

Technical Note : FortiGate 100D unable to contact FortiCare/FortiGuard servers for registration and ...

Contributors