FortiMail
FortiMail provides advanced, multi-layer protection against the full spectrum of email-borne threats
Not applicable
Article Id 192524

Article

FortiGuard Antivirus and FortiGuard Antispam subscription services use multiple types of connections with the FortiGuard Distribution Network (FDN). For details on verifying FDN connection, see the FortiMail Administration Guide.

For all FortiGuard connection types, you must satisfy the following requirements:

  • Register your FortiMail unit with the Fortinet Technical Support web site, https://support.fortinet.com/.
  • Obtain a trial or purchased service contract for FortiGuard Antispam and/or FortiGuard Antivirus, and apply it to your FortiMail unit. If you have multiple FortiMail units, including those operating in high availability (HA), you must obtain separate contracts for each FortiMail unit. You can view service contracts applied to each of your registered FortiMail units by visiting the Fortinet Technical Support web site, https://support.fortinet.com/.
  • Configure your FortiMail unit to connect with a DNS server that can resolve the domain names of FortiGuard servers.
  • Configure your FortiMail unit with at least one route so that the FortiMail unit can connect to the Internet.

You can verify that you have satisfied DNS and routing requirements by using the CLI commands:

# execute nslookup host antispam.fortigate.com
Name:    antispam.fortigate.com
Address: 208.91.112.194        [DNS resolution achieved]
Name:    antispam.fortigate.com
Address: 216.156.209.26
Name:    antispam.fortigate.com
Address: 82.71.226.65


# execute ping antispam.fortigate.com
PING antispam.fortigate.com (208.91.112.194): 56 data bytes
64 bytes from 208.91.112.194: icmp_seq=0 ttl=50 time=172.8 ms  [Routing and connectivity with antispam servers achieved for previously returned addresses]




If you have satisfied these requirements, verify that you have also satisfied the following requirements specific to the type of connection that is failing.

Scheduled updates (FortiGuard Licensing and Updates for Antivirus)

  • Configure the system time of the FortiMail unit, including its time zone.
  • Intermediary firewall devices must allow the FortiMail unit to use HTTPS on TCP/443 to connect to the FDN.
  • If your FortiMail unit connects to the Internet through a proxy:
    When running Fortimail 4.x, Use CLI command 'config system fortiguard antivirus' when running Fortimail 4.x.
    For more information, see the FortiMail CLI Reference
  • You might need to override the FortiGuard server to which the FortiMail unit is connecting, and connect to one other than the default server for your time zone.

Push updates (FortiGuard Updates for Antivirus)

  • Satisfy all requirements for scheduled updates (above).
  • If there is a NAT device installed between the FortiMail unit and the FDN, you must configure it to forward push traffic (UDP port 9443) to the FortiMail unit. You must also configure "Use override push IP". For more information, see the FortiMail Administration Guide. Intermediary firewall devices may need to allow the FortiMail unit to use HTTPS on TCP/8890 to connect to the FDN.

Rating queries (FortiGuard Antispam Licensing information and queries)

  • Intermediary firewall devices must allow the FortiMail unit to use UDP/8888, UDP/8889, or UDP/53 to connect to the FDN servers. Port to be allowed depends on your current FortiGuard Antispam Options.

If you suspect that one of the devices on your network is interfering with connectivity, you can analyze traffic and verify that the FortiMail unit is sending and receiving traffic on the required port numbers by using the CLI command diagnose sniffer to perform packet capture. If traffic is being corrupted or interrupted, you may need to perform packet capture at additional points on your network to locate the source of the interruption.

Sample sniffer trace below when troubleshooting Antispam License information based on Fortimail 4.x

# diagnose sniffer  packet any 'port 8889 or port 8888 or port 53' 4 0 a
interfaces=[any]
filters=[port 8889 or port 8888 or port 53]
2010-10-27 12:40:19.050364 port1 out 82.x.x.x
.59730 -> 82.71.226.65.8889: udp 64
2010-10-27 12:40:21.010452 port1 out
82.x.x.x
.59730 -> 208.91.112.194.8889: udp 64
2010-10-27 12:40:23.010565 port1 out
82.x.x.x.59730 -> 216.156.209.26
.8889: udp 64
[All FDS requests using port UDP/8889 seems to be filtered as no packet is returned]

# diagnose sniffer  packet any 'port 8889 or port 8888 or port 53' 4 0 a
interfaces=[any]
filters=[port 8889 or port 8888 or port 53]
2009-10-27 13:13:51.862011 port1 out 82.x.x.x.50210 -> 208.91.112.194.53: udp 33
2009-10-27 13:13:51.867646 port1 in 208.91.112.194.53 -> 82.x.x.x.50210: udp 33

[After reconfiguration using port UDP/53 packets are replied correctly]




For details on using FortiMail packet capture for troubleshooting, see the FortiMail Install Guide.

 

 

Contributors