Help
FortiMail
FortiMail provides advanced, multi-layer protection against the full spectrum of email-borne threats
Not applicable

Created on ‎02-10-2009 02:12 PM Edited on ‎04-01-2025 12:03 AM By Community Manager

Article Id 192524

Technical Tip: FortiMail cannot connect to the FortiGuard service

Description

 

This article describes that FortiMail cannot connect to the FortiGuard service.

 

Scope

 

FortiMail.

 

Solution

 

FortiGuard Antivirus and FortiGuard Antispam subscription services use multiple types of connections with the FortiGuard Distribution Network (FDN). For details on verifying FDN connection, see the FortiMail Administration Guide.

For all FortiGuard connection types, it is necessary satisfy the following requirements:

  • Register the FortiMail with the Fortinet Technical Support website, https://support.fortinet.com/.
  • Obtain a trial or purchased service contract for FortiGuard Antispam and/or FortiGuard Antivirus, and apply it to the FortiMail unit. If there are multiple FortiMail units, including those operating in high availability (HA), it is necessary to obtain separate contracts for each FortiMail unit. It is possible view service contracts applied to each of the registered FortiMail units by visiting the Fortinet Technical Support web site, https://support.fortinet.com/.
  • Configure the FortiMail unit to connect with a DNS server that can resolve the domain names of FortiGuard servers.
  • Configure the FortiMail unit with at least one route so that the FortiMail unit can connect to the Internet.

Verify that the DNS and routing requirements by using the CLI commands:

 

execute nslookup name antispam.fortigate.com
Name:    antispam.fortigate.com
Address: 208.91.112.194        [DNS resolution achieved]
Name:    antispam.fortigate.com
Address: 216.156.209.26
Name:    antispam.fortigate.com
Address: 82.71.226.65

execute ping antispam.fortigate.com
PING antispam.fortigate.com (208.91.112.194): 56 data bytes
64 bytes from 208.91.112.194: icmp_seq=0 ttl=50 time=172.8 ms  [Routing and connectivity with antispam servers achieved for previously returned addresses]

 

If these requirements have been satisfied, verify the following requirements specific to the type of connection that is failing.

Scheduled updates (FortiGuard Licensing and Updates for Antivirus)

  • Configure the system time of the FortiMail, including its time zone.
  • Intermediary firewall devices must allow the FortiMail unit to use HTTPS on TCP/443 to connect to the FDN.
  • If the FortiMail connects to the Internet through a proxy:
    When running v4.x, Use CLI command 'config system fortiguard antivirus' when running Fortimail 4.x.
    For more information, see the FortiMail CLI Reference
  • Override the FortiGuard server to which the FortiMail unit is connecting, and connect to one other than the default server for the time zone.

Push updates (FortiGuard Updates for Antivirus)

  • Satisfy all requirements for scheduled updates (above).
  • If there is a NAT device installed between the FortiMail unit and the FDN, it is necessary to configure it to forward push traffic (UDP port 9443) to the FortiMail unit. it is necessary to also configure "Use override push IP". For more information, see the FortiMail Administration Guide. Intermediary firewall devices may need to allow the FortiMail unit to use HTTPS on TCP/8890 to connect to the FDN.

Rating queries (FortiGuard Antispam Licensing information and queries)

  • Intermediary firewall devices must allow the FortiMail unit to use UDP/8888, UDP/8889, or UDP/53 to connect to the FDN servers. Port to be allowed depends on the current FortiGuard Antispam Options.

If one of the devices on the network is interfering with connectivity, it is possible to analyze traffic and verify that the FortiMail unit is sending and receiving traffic on the required port numbers by using the CLI command diagnose sniffer to perform packet capture. If traffic is being corrupted or interrupted, it is possible to perform packet capture at additional points on the network to locate the source of the interruption.

 

Sample sniffer trace below when troubleshooting Antispam License information based on v4.x.

 

diagnose sniffer  packet any 'port 8889 or port 8888 or port 53' 4 0 a
interfaces=[any]
filters=[port 8889 or port 8888 or port 53]
2010-10-27 12:40:19.050364 port1 out 82.x.x.x.59730 -> 82.71.226.65.8889: udp 64
2010-10-27 12:40:21.010452 port1 out 82.x.x.x.59730 -> 208.91.112.194.8889: udp 64
2010-10-27 12:40:23.010565 port1 out 82.x.x.x.59730 -> 216.156.209.26.8889: udp 64
[All FDS requests using port UDP/8889 seems to be filtered as no packet is returned]

diagnose sniffer  packet any 'port 8889 or port 8888 or port 53' 4 0 a
interfaces=[any]
filters=[port 8889 or port 8888 or port 53]
2009-10-27 13:13:51.862011 port1 out 82.x.x.x.50210 -> 208.91.112.194.53: udp 33
2009-10-27 13:13:51.867646 port1 in 208.91.112.194.53 -> 82.x.x.x.50210: udp 33
[After reconfiguration using port UDP/53 packets are replied correctly]

For details on using FortiMail packet capture for troubleshooting, see the FortiMail Install Guide.

 

Use the following commands in the FortiMail CLI to debug and verify the update process for further troubleshooting:

 

diagnose debug application updated 7

diagnose debug enable

execute update now

 

These commands available also in FortiMail version 6.x and 7.x

6926
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.