Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
ckarwei
Staff
Staff

Created on ‎10-13-2020 04:22 AM Edited on ‎12-15-2025 09:27 PM By Staff

Article Id 198648

Technical Tip: Verifying FortiGuard connectivity on FortiManager

Description


This article describes how to verify and troubleshoot FortiGuard connectivity on FortiManager.

Anti-virus updates will be used as example.

 

Scope

 

FortiManager.

Solution

 

The terminology used in this document:

  • FDS= FortiGate AV/IPS.
  • FGD= FortiGate Web-/Email filter.
  • AV= Anti-Virus.
  • IPS= Intrusion Prevention System.
  • WF= Web-Filtering.
  • AS= Anti-Spam

 

  1. Ensure that FortiManager is able to populate the product support coverages of the managed firewall.
    Go to FortiGuard -> Device Licenses.

    FortiGuard - Device Licenses.png

     

  1. Ensure that FortiGuard communication is enabled. Go to FortiGuard > Settings.
AntiVirus and IPS Service needs to be 'ON' and FortiGate/FortiMail/FortiSandbox/FortiClient/FortiSwitch version has to be checked.
FortiProxy has the same service as FortiGate.
 
FGD Communication.png

 

Device Version.png

 

  1. Verify that service access for FortiGate Updates (FDS) or Web Filtering (FGD) is enabled on the FortiManager management interface.
    Go to System Settings > Network > Port#
The managed unit will not be able to get the update if it is not enabled.
  
Port Settings.png
 
  1. Check the FDS server list.
From the CLI, use the following command:
 
diagnose fmupdate view-serverlist fds
 
96.45.33.87 means this is the current active FDS server. FortiManager will use the next available server, 173.243.138.92 if it fails to connect to 96.45.33.87.
 
  1. Verify the connectivity using ping and a packet sniffer.

 

execute ping <current fds server>

execute ping fds1.fortinet.com

execute ping <the DNS server>

diagnose fmupdate test ping-server

 

Unlike the standard execute ping command, which tests basic ICMP reachability, the diagnose fmupdate test ping-server verifies service-level connectivity to the FortiGuard update infrastructure. This command attempts to establish a TCP connection to the FortiGuard update server, validating that FortiManager can reach the update service at the application layer. It tests the initial TCP communication required for FortiGuard update downloads, typically over TCP port 443.

 

fmupdate test.png

A packet capture can be run in parallel to observe the TCP connection attempt to the FortiGuard Distribution Server (FDS):

diagnose sniffer packet any “host <current fds server> and port 443”

 

Alternatively, to capture all traffic to/from the FDS server regardless of port:

 

diagnose sniffer packet any 'host <current_FDS_server>' 4 a

  1.  Check the FDS connectivity log with the command below:

 

diagnose fmupdate view-linkd-log fds

2020/10/13_20:46:14.608 info    fds_svrd[32057]: Start fds client session to '96.45.33.87                :443', task = POLL svc=1
2020/10/13_20:46:15.509 info    fds_svrd[32057]: [FMG-->FDS] Request: Protocol=3.0|Command=Poll|Firmware=FMG-VM64-KVM-FW-6.04-2122|SerialNumber=FMG-VM0000000001|Persistent=false|AcceptDelta=0^M ^M
2020/10/13_20:46:16.580 info    fds_svrd[32057]: FCP_CONN:: receiving package: num_objects=3 total_size=1112
2020/10/13_20:46:16.580 info    fds_svrd[32057]: FCP_CONN:: received object: id=00000000FCPR00000 ver=00000.00000-2010130946 size=176
2020/10/13_20:46:16.580 info    fds_svrd[32057]: [FDS-->FMG] Response: Protocol=3.0|Response=200|Firmware=FPT033-FW-6.7-0121|SerialNumber=FPT-FCS-DELL0048|Server=FDSG|Persistent=false|ResponseItem=00000000FCNI00000:200*00000000FDNI00000:200^M ^M
2020/10/13_20:46:16.580 info    fds_svrd[32057]: FCP_CONN:: received object: id=00000000FCNI00000 ver=00000.00000-2001201850 size=88
2020/10/13_20:46:16.580 info    fds_svrd[32057]: FCP_CONN:: received object: id=00000000FDNI00000 ver=00000.00000-2008010807 size=464
2020/10/13_20:46:16.581 info    fds_svrd[32057]: Check update with fds 96.45.33.87                 SUCCESS

 

  1. Check the antivirus version and release date/time. Go to FortiGuard -> Packages.
    Compare with FortiGuard.
 
Package.png

 

Perform a manual update with the command below:

 

diagnose fmupdate updatenow fds

 

Check the result of fmupdate updatenow with the below command, which will show the status for the latest update trial and the data of the latest update:

 

diagnose fmupdate update-status fgd
Service=fgd|Response=202|UpdatedDate=2024-04-19|UpdatedTime=03:56:28|Status=-1|UpullErr=Connect error|UpullServer=208.184.237.64|TotalObjNum=7|CurrentObj=7|DownloadSize=5737|TotalPackageSize=5737
Service=fgfq|Response=202|Status=0|UpullErr=|UpullServer=null|TotalObjNum=0|CurrentObj=0|DownloadSize=0|TotalPackageSize=0
Service=geoip|Response=202|UpdatedDate=2024-04-10|UpdatedTime=21:23:32|Status=-1|UpullErr=Connect error|UpullServer=140.174.22.70|TotalObjNum=3|CurrentObj=3|DownloadSize=1301|TotalPackageSize=1301

diagnose fmupdate update-status fds
Service=FGT|Response=202|UpdatedDate=2024-04-17|UpdatedTime=16:54:01|LastSuccessDate=2024-04-17|LastSuccessTime=16:54:02|Status=-1|UpullStat=Disconnected|UpullErr=Connect error|UpullServer=208.184.237.68|TotalObjN
um=1|CurrentObj=1|DownloadSize=248|TotalPackageSize=248

 

A manual update with the command below:

 

  1. Run the debug below if the FDS update still fails:

     
 
diagnose debug application fdssvrd 255
diagnose debug enable
 
Related documents:

Technical Tip: How to enable anycast in FortiManager/FortiAnalyzer for FortiGuard update

Technical Tip: Setting up FortiManager behind Web Proxy to act as standalone FortiGuard FDS server f....

Technical Tip: Configure FortiManager as a local FDN server for FortiGates

Technical Tip: How to configure FortiAnalyzer/FortiManager to use FortiManager as an FortiGuard serv...

FortiGuard server (in internal network without an Internet access)

Technical Tip: Configuration to use FortiManager as local FDS server

Fmupdate services

Interface

25200
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.