FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
patelr
Staff
Staff
Article Id 226149
Description

This article explains possible reasons why FortiGate is unable to connect FortiGuard servers and offers steps to troubleshoot the problem.

 

The 'Unable to connect to FortiGuard servers' error message can be seen in two places:

 

  1. Dashboard -> Status -> Licenses.
  2. System -> FortiGuard -> FortiGuard Updates.
Scope FortiGate, FortiWeb.
Solution

The communication between FortiGate and FortiGuard for web filtering and antispam is different from the communication for antivirus and IPS.

  1. Check connectivity to FortiGuard servers by checking to ensure FortiGate correctly resolves DNS with the following hostnames:

exec ping service.fortiguard.net

exec ping update.fortiguard.net

exec ping guard.fortinet.net

01.PNG

 

If the DNS resolves, move to Step 2:

 

     2. Run 'diagnose debug rating' in the CLI:

 

diagnose debug rating

 

02.PNG

 

The output of the command 'di de rating' displays flags next to servers:


I: The server initially connected in order to validate the license and fetch the server list. Typically, only one server will have this flag.

The IP address FortiGate received when resolving the name service.fortiguard.net. If the administrator has not overwritten the FortiGuard FQDN or IP address in the FortiGuard configuration, there are usually two or three servers with this flag.

S: The IP address FortiGate received from FortiManager.

T: The server is not replying to FortiGate queries.

F: The server is down.

 

If all servers in the list have F(ailed), this may mean either all FortiGuard servers on the Fortinet side are down (unlikely), or that this FortiGate has a problem reaching them at the network level.


     3. If there are VDOMs enabled, all communication to the FortiGuard network is initiated from the management/root VDOM only.


config sys global
    set management-vdom "root"
end


     4. Verify AV & IPS Definition and Filtering Services:

 

Check AV & IPS Definition under System -> FortiGuard -> AntiVirus & IPS Updates -> Update AV and IPS Definitions.

 

03.PNG

 

Check Filtering Services under System -> FortiGuard -> Filtering.

 

04.PNG

 

Anycast servers: It is recommended to disable anycast and switch back to unicast servers.

 

config system fortiguard

set fortiguard-anycast disable

set protocol udp

set port 8888

set sdns-server-ip 208.91.112.220    <-

end

 

For Fortiguard's SDNS rating service, there are two modes in FortiOS:

 

mode 1: Use of unicast network, which uses DNS over UDP protocol for FortiGate and FortiGuard transactions.

mode 2: Use of anycast network (default), which uses DNS over TLS protocol for FortiGate and FortiGuard transactions.

 

  • To use UDP/53

 

config system fortiguard

   set fortiguard-anycast disable

   set sdns-server-ip "208.91.112.220"

end

 

  • To use DoT (TCP/853).

 

config system fortiguard

   set fortiguard-anycast enable

end

 

With Anycast, FortiGate is only aware of one single server IP. This is a floating IP address that will connect to the closest server geographically, and if this server is down, it will point to another server instead. With Unicast, the FortiGate must maintain a list of servers that it tries and if one stops working it then switches over to another.

 

05.PNG

 

In many cases, problems related to FortiGuard are caused by ISPs. Some ISPs block traffic on port 53 that is not DNS or that contains large packets. In those cases, the solution is to use port 8888.

 

Other ISPs block traffic to HTTPS port 8888. In those cases, the solution is to use UDP port 53. 

 

Related port information:

 

  • Encrypted Virus Samples auto-submitted to FortiGuard – 25.
  • DNS lookups – 53 UDP.
  • FortiGuard Server List requests to FortiGuard – 53 UDP.
  • AntiSpam or Web Filtering rating lookup queries to FortiGuard – 53 UDP or 8888 UDP.
  • URL/AS rating lookup queries to FortiGuard – 53 UDP.
  • Real-time Black List (RBL) lookup requests to RBL services – 53 UDP.
  • Fortinet Device Registration to FortiGuard – 80 HTTP.
  • Firmware and Signature Downloads from FortiGuard – 443 HTTPS.
  • FortiGuard Server List requests to FortiGuard – 1027 UDP / 1031 UDP.
  • AntiSpam and Web Filtering rating lookup requests – 1027 UDP / 1031 UDP.
  • AV/IPS Push / FortiGuard to FortiGate – 9443 UDP.

 

     5. To configure FortiGate to use worldwide servers or only servers located in the USA, run the following command in the CLI:


conf sys fortiguard

set update-server-location [usa/any]

end

 

This can also be done under System -> FortiGuard -> FortiGuard Update in the GUI.

 

06.PNG

 

Some debug commands for FortiGuard:

 

di de reset

diagnose debug application update -1

diagnose debug enable

 

The following command can also fix various issues with FortiGuard servers.

In this example, 212.48.23.12 is used as the IP for the interface to the ISP router.

 

config system fortiguard

set fortiguard-anycast disable

set protocol udp

set port 8888

set sdns-server-ip 208.91.112.220

set ddns-server-ip 173.243.138.225

set source-ip 212.48.23.12

end

 

config system dns
set primary 8.8.8.8
set source-ip 212.48.23.12
end

 
Notes:

 

config system fortiguard

set interface-select-method {auto|sdwan|specify}

set interface WAN Interface

 

 

 

License errors may be found in two places as shown below:

 

  • Dashboard -> Status -> Licenses.
  • System -> Config -> FortiGuard.

 

  1. If DNS issues occur, the following output will be seen in the CLI:


DNS issue with Fortiguard.png
Verify DNS settings in FortiWeb under Network -> DNS.

Verify the reachability of the DNS IP. If the DNS is private, change to a public DNS and verify the connectivity.
If the DNS resolves, check reachability. If there is any firewall, allow the ICMP for FortiWeb.

 

  1. If there is any firewall in place, allow traffic to all destinations for testing purposes. If this fixes the license issue, it indicates the issue is on the firewall policy level.

  2. If all checks have been performed successfully, collect the following logs and share them in a ticket created with support:

 

di de application fds 7
di de application updated 7

di de enable
execute update-now

 

To disable the debug:

 

di de di

 

FortiGuard licenses and the communication to FortiGuard are viewable via GUI through System -> FortiGuard as well as through the CLI using the following commands:

 

di autoupdate versions

 

The output is quite long, but you can pipe the output to grep:

 

di autoupdate versions | grep -A6 "IPS Attack Engine"