This article describes how to diagnose anti-virus engine and antivirus definition update issues.

If the antivirus engine or antivirus definition version says '0.00' contact the local Fortinet Support site.

Before contacting Technical Support, verify the following settings:

• A valid DNS server has been configured for the FortiGate unit. Try the CLI command exec ping service.fortiguard.net. The FortiGate should be able to resolve the DNS name to an IP. Note that if a host behind the FortiGate can resolve the DNS name does not necessarily mean that the FortiGate can since the two can be configured with different DNS servers.
• The FortiGate unit has a valid default gateway set. Try pinging a public Internet address to test the default gateway.
• The FortiGate has to have at least one Firewall Policy with an Antivirus Profile applied, otherwise, it will never attempt to update the Antivirus Engine or Database.

Try the following connectivity tests:

1. Log in to the FortiGate CLI using a console cable or Telnet/SSH session.
2. Verify that the FortiGate unit can contact the secondary Fortinet Distribution Network (FDN) server by pinging the server from the command line interface (CLI). Enter exec ping fds1.Fortinet.com. If the secondary server does not respond to the ping, confirm routing and DNS settings as described above.
3. If the secondary server responds to the ping, the specific update traffic may be blocked in the network. In Transparent mode, the Management IP should be mapped to a routable IP.
4. The IP must be reachable from the Internet. Set up a traffic analyzer on the management LAN segment and capture the traffic on this network during an attempted update.

Look for the following protocols which the FortiGate unit uses to connect to the FDN:

• TCP/443 port is used for the SSL connection to retrieve the updates.
• UDP/9443 is for receiving PUSH announcements.

5. The FortiGate has a diagnose command to monitor the traffic on an interface. Enter: 

diagnose sniff packet any 'port 9443' 

After the sniffer has served its purpose, press Ctrl + C to stop it. Otherwise, it will run indefinitely.

Enter get sys time from the CLI to make sure that the certificates are not being invalidated by incorrect system time.
Enter get sys auto from the CLI, if the last update status is Unauthorized, the coverage may have expired.

6. If any Antivirus profile is in use in the firewall policy, check FortiGuard settings for source-ip and add if it is missing.

config system fortiguard

    set source-ip x.x.x.x

end

Insert the LAN interface IP of the FortiGate that can connect to FortiGuard.

Then do the update again with 'execute update-now' as follows:

diagnose debug disable

diagnose debug reset

diagnose debug application update -1

diagnose debug enable

execute update-now

Once updates are completed, disable debug by:

diagnose debug disable

diagnose debug reset

 Run the following command to check if the AV Engine and Virus Definitions have been updated:

   diagnose autoupdate versions

If the above does not help, contact the support.

Contacting Fortinet Technical Support:

Prepare the following diagnostic information before contacting technical support.

1. Log in to the FortiGate CLI using a console cable or Telnet/SSH session.
2. Enter:

diagnose debug enable

diagnose debug application up 3

3. From the web-based manager, select Update Now on the system update page.
4. Capture the output of the console session to a file and send it along with the ticket number to the appropriate support department.