FortiMail provides advanced, multi-layer protection against the full spectrum of email-borne threats
Article Id 198632
This article provides some basic troubleshooting which can be used when a FortiMail device is not able to register to the FortiGuard Servers.

Check that the FortiMail has connection with the following URLs:
# execute ping
# execute ping

If the FortiMail is able to connect with those URLs, the following debug could be enabled to gather more detailed information about how the connection to the FortiGuard Servers is being performed:
# diagnose debug disable
# diagnose debug application updated 7
# diagnose debug enable
# execute update now

An output similar to the one displayed below shows which FortiGuard Server the FortiMail is trying to use for registration and it is can be seen that the connection is using TCP port 443 for encrypted traffic.
upd_daemon.c[783] upd_daemon-try update
upd_daemon.c[377] do_update-Starting scheduled UPDATE (not final retry)
upd_act.c[381] upd_act_update-Trying FDS with AcceptDelta=1
upd_comm.c[228] tcp_connect_fds-Proxy tunneling is disabled

If a FortiGate device or firewall from another vendor is being used to give internet access to the FortiMail make sure that there is no SSL deep inspection profile enabled into the policy created for it.

If there is no connection restriction into the Firewall that gives Internet access to the FortiMail then the following sniffer could be collected via CLI for further troubleshooting and analysis:
# diagnose sniffer packet any 'host X.X.X.X' 6 0 l

where X.X.X.X is the IP address of the FortiGuard Server collected when running the updated debug.

Open a new SSH session to the FortiMail or use the console included in the GUI interface to run following command:
# execute update now

Let the sniffer run for a while and disable the sniffer using CTRL+C when the output stops to display information.

Related Articles

Technical Note: FortiMail unit can not connect to FortiGuard service