Description
This article describes how to troubleshoot the update problems in Antivirus (AV), Intrusion Prevention (IPS), Web filtering and Spam filtering:
Under System -> FortiGuard.
Scope
FortiGate.
Solution
- Make sure that a valid current contract has been registered against the FortiGate. After purchase, the registration code/contract number can be registered at https://support.fortinet.com.
- Create a firewall policy with a UTM profile and FortiGuard web filtering activated.
- Once activated, the FortiGuard network will propagate the contact information to all servers, this may take from 24 to 48 hours to finish. If the contract was activated within the past day, wait for 24 hours before going further.
- Now the servers should have the correct contract information, but the FortiGate is just not getting it. The first test to run is:
execute ping <internet pingable IP>
Where <internet pingable IP> can be any known IP that should respond to ping.
If the ping fails, the FortiGate is not able to go out to the internet. Other than the case where the FortiGate is not even connected to the Internet, the most common problem here is that the FortiGate is sending all its locally generated traffic (think update requests and pings) into a VPN tunnel. The following commands will help troubleshoot:
diagnose debug enable
diagnose debug flow show console en
diagnose debug flow show function en
diagnose debug flow filter addr <internet pingable IP>
diagnose debug flow filter protocol 1
diagnose debug flow trace start 20
execute ping <internet pingable IP>
The output will show the route the packet is using as well as any VPN tunnels. If the traffic is indeed going through a VPN tunnel, edit the Firewall policy for the VPN tunnel and change the source and destination addresses to match the source and destination subnets.
Once the test is complete, the debug outputs should be disabled by using the commands:
diagnose debug flow trace stop
diagnose debug reset
diagnose debug disable
- This proves that the FortiGate can go out to the internet by IP. The next step is to confirm if the FortiGate can resolve DNS names:
execute ping fortinet.com.
Any DNS name can be used. The importance is not whether replies are received (given that some sites may simply block pings) but rather whether the FortiGate can resolve the DNS name. If it cannot, it will be necessary to double-check the DNS settings from System -> Network -> DNS:
Web Filter/Spam Filter only: Web Filter and Spam Filter use one of the three available ports, 53, 443, and 8888. If the FortiGate is not able to reach the FortiGuard servers using one of them, it is worth trying the other. Note that port selection is only allowed when fortiguard-anycast is set to disabled.
config system fortiguard
set fortiguard-anycast disable
end
The source port is the port the FortiGate will use when contacting the FortiGuard servers. The problem is that some ISPs block some of the lower ports used by the FortiGate. This can be changed by running the commands:
config system global
set ip-src-port-range 1050-25000
end
When completed, the following command should be used to restart the service:
diagnose test app url 99
If the issue is still not resolved, the following commands can be used:
diagnose debug enable
diagnose debug application update 255
execute update-now
Run the sniffer command to see the traffic on the packet level:
For Antivirus/IPS:
diagnose sniffer packet any 'port 443'
For Web filter/Spam filter:
diagnose sniffer packet any 'port 53 or port 8888'
The article Technical Tip: Verifying and troubleshooting FortiGuard updates status and versions dives deeper into these commands.
If the problem has still not been resolved, open a ticket with Fortinet support to assist with troubleshooting. Include the outputs of the debug commands that have already been performed.
Related documents:
Technical Tip: Verifying and troubleshooting FortiGuard updates status and versions
Troubleshooting Tool: Using the FortiOS built-in packet sniffer
Technical Tip: The license still shows as expired after renewal
