Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
romgo
New Contributor

FortiGuard firewall rule

Hi,   My firewall (running 6.2.6) is directly connected to Internet. We have an IPS license and I figured out that IPS update failed silently.   Looking at the logs I see that the fortios trying to reach some random ip at fortiguard. First I created a rule as follow :   src : firewall dst : update.fortiguard.net  & service.fortiguard.net service : https   but this was not enough.   I can see traffic towards those IPs : 12.34.97.16     96.45.33.85     96.45.33.106     173.243.132.64     173.243.138.69     173.243.138.210     206.47.184.1     206.47.184.6     208.91.113.75     208.91.113.109     208.91.113.184     209.222.136.6   I would like to be able to specify the destination properly, because currently destination is ALL.   Thanks
5 REPLIES 5
emnoc
Esteemed Contributor III

You don't need a rule for the fortigate to get to the fortiguard site(s)

 

1: did you try to ping  them "execute ping x.x.x.x"

 

2: did you run any diag debug flow 

 

3: are you 100% sure the unit is licensed and registered correctly

 

 diag debug application update -1 

 diag debug enable 

 execute update-now

 

4: if you done all of the above and ensure that no upstream device is filtering you, open a ticket with support

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Toshi_Esumi

Since you have support, open a ticket is probably the quickest to solve your problem. But I just wanted to add two more commands to Ken's debug commands to check the updates:

  diag autoupdate status

  diag autoupdate versions

Then, wanted to remind you that you need to have at least one policy using IPS to get the attack definitions or attack extended definitions updated. Otherwise, updates won't happen even it's enabled.

emnoc
Esteemed Contributor III

Then, wanted to remind you that you need to have at least one policy using IPS to get the attack definitions or attack extended definitions updated. Otherwise, updates won't happen even it's enabled.

 

I think that behavior have change over the last few years with IPS-ETDB  will not update , but IPS-DB and IPS malicious URL Database will.  Just wanted to point that out.

 

For the OP one more item to check is you logs

 

   execute log filter category 1

   execute log display 

 

 

Wait like a few seconds for the display the logs after you do "execute update-now" and the logs will show you pass fail and what fortiguard server you hit. Depending where your at it's probably going to be 173.243.xxx.xxx 

 

if your in a pinch , you can login find your IPS update and manually download and upload to the fortigate.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
romgo
New Contributor

Hi,

 

I try to run your commands but those commands doesn't exist on my 6.2.6 firewall :

 execute update-now

  diag autoupdate status   diag autoupdate versions

 

I'm very surprise that for the fortigate to get to the fortiguard site(s) I don't need a rule, because I saw the dropped packets on Fortianalyzer. And for solving my issue I had to create a new rule to allow the flow.

 

I do have some rules with IPS enabled.

 

Regards,

emnoc
Esteemed Contributor III

If you in a multi-vdom , you need to do those commands from global context. Not root-vdom

 

Also if your firewall is behind another device and DNS is broke you will get the following error

 

 

3: date=2020-12-31 time=07:47:23 logid="0100038404" type="event" subtype="system" level="error" vd="root" eventtime=1609429643716020201 tz="-0800" logdesc="FortiGuard hostname unresolvable" hostname="service.fortiguard.net" msg="unable to resolve FortiGuard hostname"

 

You either have bad dns, filters upstream, etc......Did you  try my suggested pings to those fortiguard ipv4 address you posted earlier? service.fortiguard.net is geo-lb and will resolved back to one of the many address

 

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors