1st I'm 100% sure the following;

2- # exec ping service.fortiguard.com Unable to resolve hostname  

Is not the correct name for fortiguard service

2nd you can run the diagnostic test cmd to check what update servers are being used

please tell how to diagnose

becuase i am new in this feild just 3 weeks

and what about certificate error.

thanks for reply

The address to ping is: service.fortiguard.net. Try that address as well.

Running 'diag autoupdate status' will show you the last attempt (and its result) to reach FortiGuard. Running 'diag autoupdate versions' will show the attempts (and results) for updates to all FortiGuard services, as well as the FDS server selected (if any).

Finally, 'diag debug rating' will list all FortiGuard servers returned for web filtering queries, as long as at least one firewall policy already has a web filter profile applied with FortiGuard web filtering activated. The certificate error is more easily explained: the FortiGate uses a self-signed certificate by default, which your browser doesn't instantly trust. Add the certificate to your browser's/host's trusted root CA store, or else you can purchase and apply a trusted-third party certificate for the FortiGate signed by a recognized CA.

thanks for reply

i ran the command that gave to me i got the below result:

FG200D4614808713 # diagnose autoupdate status

FDN availability:    unavailable at Tue Apr  7   17:05:57 2015

Push update: disable

Scheduled update: enable

        Update daily:  1:25

Virus definitions update: enable

IPS definitions update: enable

Push address override: disable

Web proxy tunneling: disable

FG200D4614808713 #  

FG200D4614808713 # diagnose autoupdate versions

AV Engine

---------

Version: 5.00155

Contract Expiry Date: n/a

Last Updated using manual update on Mon Jul 21 10:51:00 2014

Last Update Attempt: Tue Apr  7 09:59:12 2015

Result: Connectivity failure

Virus Definitions

---------

Version: 16.00560

Contract Expiry Date: n/a

Last Updated using manual update on Fri Oct 19 08:31:00 2012

Last Update Attempt: Tue Apr  7 09:59:12 2015

Result: Connectivity failure

Extended set

---------

Version: 1.00000

Contract Expiry Date: n/a

Last Updated using manual update on Wed Oct 17 15:46:00 2012

Last Update Attempt: Tue Apr  7 09:59:12 2015

Result: Connectivity failure

Attack Definitions

---------

Version: 4.00345

Contract Expiry Date: n/a

Last Updated using manual update on Thu May 23 00:39:00 2013

Last Update Attempt: Tue Apr  7 09:59:12 2015

Result: Connectivity failure

Attack Extended Definitions

---------

Version: 0.00000

Contract Expiry Date: n/a

Last Updated using manual update on Mon Jan  1 00:00:00 2001

Last Update Attempt: Tue Apr  7 09:59:12 2015

Result: Connectivity failure

Flow-based Virus Definitions

---------

Version: 10.00974

Contract Expiry Date: n/a

Last Updated using manual update on Thu Oct 22 01:00:00 2009

Last Update Attempt: Tue Apr  7 09:59:12 2015

Result: Connectivity failure

Botnet Definitions

---------

Version: 1.00000

Contract Expiry Date: n/a

Last Updated using manual update on Mon May 28 22:51:00 2012

Last Update Attempt: Tue Apr  7 09:59:12 2015

Result: Connectivity failure

IPS Attack Engine

---------

Version: 2.00189

Contract Expiry Date: n/a

Last Updated using manual update on Thu Jun 26 17:03:00 2014

Last Update Attempt: Tue Apr  7 09:59:12 2015

Result: Connectivity failure

Vulnerability Compliance and Management

---------

Version: 1.00297-L

Contract Expiry Date: n/a

Last Updated using manual update on Wed Dec 17 12:52:00 2014

Last Update Attempt: n/a

Result: Updates Installed

Modem List

---------

Version: 1.031

Device and OS Identification

---------

Version: 1.00024

Contract Expiry Date: n/a

Last Updated using manual update on Tue Jan 29 20:42:00 2013

Last Update Attempt: n/a

Result: Updates Installed

IP Geography DB

---------

Version: 1.027

Contract Expiry Date: N/A

Last Update Date: Fri Jul  4 01:35:03 2014

FDS Address

---------

please advise me.

What was the result when trying to ping service.fortiguard.net? Can you resolve any other FQDNs successfully within the Fortinet sphere, like...

guard.fortiguard.net

update.fortiguard.net

etc.

Hello,thanks for reply

FG200D4614808713 # exec ping guard.fortiguard.net PING guard.fortinet.net (208.91.112.198): 56 data bytes

--- guard.fortinet.net ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss

FG200D4614808713 # exec ping update.fortiguard.net PING fds1.fortinet.com (208.91.112.68): 56 data bytes

--- fds1.fortinet.com ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss

FG200D4614808713 # exec ping service.fortiguard.net PING guard.fortinet.net (208.91.112.196): 56 data bytes

--- guard.fortinet.net ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss

FG200D4614808713 #

i am  tried to ping i got above result.

thanks again.

So, your gateway responds to ARP requests from the FortiGate, and no ICMP messages (ping replies or otherwise) are received back, but the attempts time out.

Could you run a sniff on those IPs when you try to ping? You'd need an SSH session open as well as the CLI widget in the GUI, or else two SSH sessions.

First session:

diag sniff pack any "host w.x.y.z" 4 //--use one of the IPs that the above FQDNs resolve to

<attempt to ping, then press Ctl+C to stop the capture>

Second session:

exec ping w.x.y.z

If the pings leave the WAN interface, and you don't see any reply back, as long as the parameters of the packets are correct, it may be an upstream issue.