Troubleshooting performance issues when FortiGuard Web Filtering is enabled - Low source port

• FortiGuard Web Filtering or Antispam
  
• FortiOS v3.0
• FortiOS v4.0 and above
  

Enter this command from the CLI:

diagnose debug rating

If this returns a small number of servers (usually two), then it is likely that your ISP or an upstream security device is blocking UDP packets with low ephemeral destination ports (typically 1024-1035) to avoid a potential exploit against Microsoft Windows systems.

Some of these ports are required to receive FDN server lists updates.

Solution #1

Solution #2

If your ISP blocks the lower range of UDP ports (around 1024), you can configure your FortiGate unit to use higher-numbered ports, using the CLI command:

config system global
set ip-src-port-range <start port>-<end port>
end

where the <start port> and <end port> are numbers in the range of  :

• 1024 to 4999     for FortiOS prior to MR6
  
• 1024 to 25000   for FortiOS 3.0 MR6 and and FortiOS 4.0 and above
  

For example, you could configure your FortiGate unit to not use ports lower than 2048 or ports higher than the following range:

• for FortiOS prior to MR6 :
  

config system global
set ip-src-port-range 2048-3999
end

• for FortiOS 3.0 MR6 and above, and FortiOS 4.0 and above

config system global
set ip-src-port-range 2048-20000
end

FortiGate units contact the FDN to get the latest list of FDN servers by sending UDP packets with typical source ports of 1027 or 1031, and destination ports of 53 or 8888. The FDN reply packets have a destination port of 1027 or 1031.

If your ISP blocks UDP packets in this port range, the FortiGate unit cannot receive the FDN reply packets. As a result, the FortiGate unit will not receive the complete FDN server list.