Description
This article describes how to troubleshoot the update problems in Antivirus (AV), Intrusion Prevention (IPS), Web filtering and Spam filtering:
Under System -> FortiGuard.
Solution
This flow diagram shows the steps to use to troubleshoot update issues.
Troubleshooting steps:
- Make sure that a valid current contract has been registered against the FortiGate. After purchase the registration code/contract number can be registered at https://support.fortinet.com.
- Create a firewall policy with a UTM profile and FortiGuard web filtering activated.
- Once activated, the FortiGuard network will propagate the contact information to all servers, this may take from 24 to 48 hours to finish. If the contract was activated within the past day, wait for 24 hours before going further.
- Now the servers should have the correct contract information, the FortiGate is just not getting them. The first test to run is:
exec ping <internet pingable IP>
Where <internet pingable IP> can be any known IP that should respond to ping.
If the ping fails, the FortiGate is not able to go out to the internet. Other than the case where the FortiGate is not even connected to the Internet, the most common problem here is that the FortiGate is sending all its locally generated traffic (think update requests and pings) into a VPN tunnel. The following commands will help troubleshoot:
diag debug enable
diag debug flow show console en
diag debug flow show function en
diag debug flow filter addr <internet pingable IP>
diag debug flow filter protocol 1
diag debug flow trace start 20
exec ping <internet pingable IP>
The output will show the route the packet is using as well as any VPN tunnels. If the traffic is indeed going through a VPN tunnel, edit the Firewall policy for the VPN tunnel and change the source and destination addresses to match the source and destination subnets.
Once the test is complete, the debug outputs should be disabled by using the commands:
diag debug flow trace stop
diag debug reset
diag debug disable - This proves that the FortiGate can go out to the internet by IP. The next step is to confirm if the FortiGate can resolve DNS names: exec ping fortinet.com.
Any DNS name can be used. The importance is not whether replies are received (given that some sites may simply block pings) but rather whether the FortiGate can resolve the DNS name. If it cannot, it will be necessary to double-check the DNS settings from System -> Network -> DNS:
Web Filter/Spam Filter only: Web Filter and Spam Filter use one of the three available ports 53, 443, and 8888. If the FortiGate is not able to reach the FortiGuard servers using one of them, it is worth trying the other. Note that port selection is only allowed when fortiguard-anycast is set to disabled.
config system fortiguard
set fortiguard-anycast disable
end
The source port is the port the FortiGate will use when contacting the FortiGuard servers. The problem is that some ISPs block some of the lower ports used by the FortiGate. This can be changed by running the commands:
config system global
set ip-src-port-range 1050-25000
end
When completed, the following command should be used to restart the service:
diag test app url 99
If the issue is still not resolved, the following commands can be used:
diag debug enable
diag debug application update 255
exec update-now
Run the sniffer command to see the traffic on the packet level:
For Antivirus/IPS:
diag sniff packet any 'port 443'
For Web filter/Spam filter:
diag sniff packet any 'port 53 or port 8888'
The article Technical Tip: Verifying and troubleshooting FortiGuard updates status and versions dives deeper into these commands.
If the problem has still not been resolved, open a ticket with Fortinet support to assist with troubleshooting. Include the outputs of the debug commands that have already been performed.
Related articles:
Technical Tip: Verifying and troubleshooting FortiGuard updates status and versions
Troubleshooting Tool: Using the FortiOS built-in packet sniffer
