Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
lingky88
Staff
Staff

Created on ‎12-30-2022 02:08 AM Edited on ‎01-01-2023 05:31 AM By Moderator

Article Id 241487

Troubleshooting Tip: Troubleshooting service unavailability when using FortiManager as a local FortiGuard Distribution Server

Description

This article explains how to troubleshoot an issue where the local FortiGate shows that the FortiGuard service is unavailable. This issue only occurs when FortiManager is configured as a Local FortiGuard Distribution Server (FDS).
Scope FortiManager & FortiGate.
Solution

1) When the following error displays on the local FortiGate, it means that the FortiGate is unable to connect to FortiManager to get FDS updates:

 

lingky88_0-1672384017949.png

 

2) Run the following CLI debug commands to check the error:

 

# diagnose debug application update -1

diagnose debug enable

execute update-now

 

Sample error message:

 

[359] __ssl_crl_verify_cb: Cert error 20, unable to get local issuer certificate. Depth 0

pack_obj[202]-Packing obj=Protocol=3.0|Command=Setup

get_fcpr_response[348]-Wan ip=[103.105.215.2]

upd_comm_disconnect_fds[499]-Disconnecting FDS 173.243.140.6:443

 

3) The configuration on FortiGate includes the following:

 

# config system central-management

    config server-list

        edit 1

            set server-type update rating

            set addr-type ipv4

            set server-address 10.10.10.1

        next

    end

    set include-default-servers enable

end

 

4) From the output, it can be seen that the FortiGate is configured to use FortiManager for FortiGuard services. Furthermore, FortiGate uses FortiManager to query ratings of filtering, antispam etc as well as query updates of antivirus, IPS etc. The 'include-default-servers' parameter has been enabled, which allows the FortiGate to poll from the public FortiGuard servers when the FortiManager is unavailable.

 

5) Run 'diagnose debug rating' on the FortiGate and check the results to see if the FortiManager IP and the IP of the Public FortiGuard Server are shown.

 

lingky88_3-1672384456631.png

 

6) FortiGate can use several ports for communication for FortiGuard entries. If HTTPS Port 443 isn’t working, anycast must be disabled before changing the port. After disabling anycast, change it to UDP Port 8888.

 

# config system fortiguard

set fortiguard-anycast disable

set protocol udp

set port 8888

end

 

7) Once the changes have been made, check the availability again. The service availability should now show as 'available'.

 

lingky88_0-1672387340444.png

 

Related link: 

Technical Tip: Configure FortiManager as a local FDN server for FortiGates

 

1336
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.