FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
TAlKhatib
Staff
Staff
Description

This document will help to troubleshoot update problems in Antivirus (AV), Intrusion Prevention (IPS), Web filtering and Spam filtering,  under System > Dashboard > Status > License Information.


Solution
This flow diagram shows the steps to use to troubleshoot update issues.

TAlKhatib_FD32121_fd32121_updates.jpg

Troubleshooting steps
  1. Make sure that a valid current contract has been registered against the FortiGate. After purchase the registration code/contract number can be registered at https://support.fortinet.com .
  2. Create a firewall policy with UTM profile and FortiGuard web filtering activated.
  3. Once activated, the FortiGuard network will propagate the contract information to all servers, this may take from 24 to 48 hours to finish. If the contract was activated within the past day, wait for 24 hours before going further.
  4. By now we are sure the servers have the correct contract information, the FortiGate is just not getting them. The first test to run is:

       # exec ping <internet pingable IP>

    where <internet pingable IP> can be any known IP that should respond to ping.


    If the ping fails, the FortiGate is not able to go out to the internet. Other than the case where the FortiGate is not even connected to the Internet, the most common problem here is that the FortiGate is sending all its locally generated traffic (think update requests and pings) into a VPN tunnel. The following commands will help troubleshoot:

       # diag debug enable
       # diag debug flow show console en
       # diag debug flow show function en
       # diag debug flow filter addr <internet pingable IP>
       # diag debug flow filter protocol 1
       # diag debug flow trace start 20
       # exec ping <internet pingable IP>

    The output will show the route the packet is using as well as any VPN tunnels.  If the traffic is indeed going through a VPN tunnel, edit the Firewall policy for the VPN tunnel and change the source and destination addresses to match the source and destination subnets.

    Once the test is complete, the debug outputs should be disabled by using the commands:

       # diag debug flow trace stop
       # diag debug reset
       # diag debug disable
  5. This proves that the FortiGate can go out to the internet by IP.   The next step is to confirm if the FortiGate can resolve DNS names:# exec ping fortinet.com

    Any DNS name can be used.  The importance is not whether replies are received (given that some sites may simply block pings) but rather if the FortiGate is able to resolve the DNS name.  If it cannot, it will be necessary to double check the DNS settings from System > Network > DNS:


  6. [AV/IPS updates only] The FortiGate uses port 443 (same as HTTPS) to do AV and IPS updates.  The system time needs to be set correctly so the SSL layer works correctly.  Make sure system time is set correctly by going to System >Dashboard >  Status > "System Information" Widget > System Time.  Select [Change] to edit the system time or synchronize it to an NTP server.

  7. [Web Filter/Spam Filter only] Web Filter and Spam Filter use one of the two available ports 53 and 8888.  If the FortiGate is not able to reach the FortiGuard servers using one of them, it is worth trying the other.   The ports can be switched by going to System > Config > FortiGuard > Web Filtering and Email Filtering Options > Port Selection.
  8. The source port is the port the FortiGate will use when contacting the FortiGuard servers.  The problem is that some ISPs block some of the lower ports used by the FortiGate. This can be changed by running the commands:

       # config system global
       # set ip-src-port-range 1050-25000
       # end

    When completed the following command should be used to restart the service:

       # diag test app url 99

  9. The FortiGate will contact "service.fortiguard.net" by default to get updates.  This setting can be overridden and the server IP set manually but this is highly not recommended. Any overrides can be disabled by running the commands:

       # config system fortiguard
       # set srv-ovrd disable
       # end


  10. If the issue is still not resolved, the following commands can be used:

       # diag debug enable
       # diag debug application update 255
       # exec update-now

    You can also use the sniffer command to see the traffic on the packet level:
    For AV/IPS

       # diag sniff packet any 'port 443'

    For Web filter/Spam filter

       # diag sniff packet any 'port 53 or port 8888'

    Article "Verifying and troubleshooting AV & IPS updates status and versions" dives deeper into these commands.
If the problem has still not been resolved, open a ticket with Fortinet support to assist with troubleshooting.  Please include the outputs of the debug commands that have already been performed.
Internal Notes
I wanted to edit article "Antivirus update troubleshooting tips" but there where too many changes needed. I thought creating a new article is easier.

Related Articles

Technical Tip: Verifying and troubleshooting FortiGuard updates status and versions

Troubleshooting Tool: Using the FortiOS built-in packet sniffer

Troubleshooting Tip : First steps to troubleshoot connectivity problems to or through a FortiGate wi...

Contributors