update Fortigate 110C

AEF · ‎07-02-2014

Hi, In my fortigate 110C, i have 2 wan ports gives access to internet, but i can' t do the update automaticaly of firewall The ping doesn' t work from the firewall(fortigate 110c) to the internet, the connexion work to the protocoles 80, 443, What should I do to make the update work thank you in advance

Dave_Hall · ‎07-10-2014

@AEF By updates, I am assuming you mean the FortiGuard Services. On the dashboard, does the License Information widget shows the 110C has a valid/registered support contract and that the (FortiGuard) services are reachable? Not in front of a fgt running the newer firmware, but the FortiGuard panel should still be the same/similar as on 4.0 MR3 (System->Config->FortiGuard) -- can you confirm the FortiGuard Subscription Services are all activate? After this, expand the " AV & IPS Download Options" section and click on the [Update Now] button. Under " Web Filtering and Email Filtering Options" the port section should indicated the FortiGuard services are reachable by the port selected -- if it does not, try selecting the other port (port 53 or 8888) (remember to click apply after making a port change). After clicking on the [Update Now] button (above) and assuming you have logging enabled - check the Event Log (under Log@Report) to see if you have something similar to... " Fortigate update now virdb(22.00445) idsdb(4.00522) aven(5.00147) idsen(2.00174) from xx.xx.xx.xx:443" From the CLI, type: exec ping service.fortiguard.net If you get an " Unable to resolve hostname" error then it likely means a DNS or routing related issue. Edit: As a test, try changing the DNS (under System->Network->DNS) to 8.8.8.8. And see if service.fortiguard.net is resolvable. After the ping test, type the following on the CLI: get webfilter status You should get a list of IP addresses. Also just to confirm you do have firewall policies using UTM features (anti-virus/Fortigate web filtering, IPS, App Sensor, etc.)? From what others have reported 3-4 months back (on the forums), the Fortigate may not update if there is no UTM features used on it.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

emnoc · ‎07-10-2014

Do everything that Dave suggested. I never heard of a FGT not updating regardless of UTM features be active or not in any profile. As a side note, you can update manully via cli exece update-now and iirc you can do av/ips/web specifics also.

PCNSE

NSE

StrongSwan

Dave_Hall · ‎07-10-2014

I never heard of a FGT not updating regardless of UTM features be active or not in any profile.

Thread was actually older than I thought; though thinking back on it now, I am thinking the problem in that thread is caused by something else. Something to add (from that linked thread) is to ensure the date/timezone/time is correct on the 110C.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

AEF · ‎09-07-2014

hello, @ALL: I have a static route, the image bellow explain you, that when I change a distance of interface wan1 to 5 the exec ping command work and all service of fortigard is enabled, but i create anather probleme with the VPNs (all VPNs network are down and work with Wan2). have you the solution for this. thank you in advance

ede_pfau · ‎09-07-2014

I thought it was a routing problem, not one of licensing or whatnot. Why do you have 2 default routes? By design (of IP routing) there is only one active default route per system. If you have VPNs defined as subinterfaces of ' wan2' then each one should have a static route pointing the remote subnet to the interface name. Do you see that your regular internet browsing traffic is using ' wan2' instead of ' wan1' ? That is what I would expect. If I had to guess the FGT will use the first interface facing the internet for FG updates. Which parameter is deciding this is beyond my experience though - a FTNT SE reading this might give us a clue. What you could do now is to route the update traffic to ' wan2' to make updates available. You need a new static route for this. A static route specifies a destination subnet and the interface which is to be used to reach this subnet. So, I would find out the IP address of ' service.fortiguard.net' which is 208.91.112.196 and .198, extract the subnet ' 208.91.112.0/24' and create a static route to it using ' wan2' . For routes with the same distance, a higher priority will make the route less attractive! Translate ' priority' with ' cost' to make sense of it. This is a FortiOS-only parameter. You can vary the distance of the FortiGuard route to make it work. Please try this and report back. Your setup is somehow special but I' d really like to know the solution to this.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

AEF · ‎09-08-2014

hello, thank you for your help, the connexion and the anti spam work, I added a static route to server fortigard with Ip range 208.91.112.0/20 and a low distance and i changed the dns ip adresse. thank you