Configuring FortiGuard Updates and AntiSPAM Queries

Configuring FortiGuard updates and antispam queries

The Maintenance > FortiGuard > Update tab displays the most recent updates to

FortiGuard Antivirus engines, antivirus definitions, and FortiGuard antispam definitions

(antispam heuristic rules). You can also configure how the FortiMail unit will retrieve updates.

FortiGuard AntiSpam packages for FortiMail units are not the same as those provided to FortiGate units. To support FortiMail’s more full-featured antispam scans, FortiGuard AntiSpam packages for FortiMail contain platform-specific additional updates.

For example, FortiGuard AntiSpam packages for FortiMail contain heuristic antispam rules used by the a heuristic scan. Updates add to, remove from, and re-order the list of heuristic rules so that the current most common methods spammers use are ranked highest in the list. As a result, even if you configure a lower percentage of heuristic rules to be used by that scan, with regular updates, the heuristic scan automatically adjusts to use whichever heuristic rules are currently most effective. This helps to achieve an effective spam catch rate, while both reducing administrative overhead and improving performance by using the least necessary amount of FortiMail system resources.

FortiMail units receive updates from the FortiGuard Distribution Network (FDN), a world-wide network of FortiGuard Distribution Servers (FDS). FortiMail units connect to the FDN by connecting to the FDS nearest to the FortiMail unit by its configured time zone.

In addition to manual update requests, FortiMail units support two kinds of automatic update mechanisms:

  • scheduled updates, by which the FortiMail unit periodically polls the FDN to determine if there are any available updates
  • push updates, by which the FDN notifies FortiMail units when updates become available

For information on configuring scheduled updates, see “Configuring scheduled updates” on page 240. For information on configuring push updates, see “Configuring push updates” on page 241.

You may want to configure both scheduled and push updates. In this way, if the network experiences temporary problems such as connectivity issues that interfere with either method, the other method may still provide your FortiMail unit with updated protection. You can alternatively manually update the FortiMail unit by uploading an update file. For more information on uploading updates, see “License Information widget” on page 176.

For FortiGuard Antispam and FortiGuard Antivirus update connectivity requirements and troubleshooting information, see “Troubleshoot FortiGuard connection issues” on page 707.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read-Write permission to the Others category

For details, see “About administrator account permissions and domains” on page 290.

To view or change the currently installed FortiGuard status

  1. Go to Maintenance > FortiGuard > Update.

Figure 95:Update tab

  1. Configure the following:

 

GUI item Description
FortiGuard Service Status  
Name The name of the updatable item, such as Anti Virus Definition.
Version The version number of the item currently installed on the FortiMail unit.
Expiry Date The expiry date of the license for the item.
Last Update Attempt The date and time when the FortiMail unit last attempted to download an update.
Last Update Status The result of the last update attempt.

•      No updates: Indicates the last update attempt was successful but no new updates are available.

•      Installed updates: Indicates the last update attempt was successful and new updates were installed.

•      Other messages, such as Network Error, indicate that the FortiMail unit could not connect to the FDN, or other error conditions. For more information, see “Troubleshoot FortiGuard connection issues” on page 707.

Included signatures Displays the total number of the virus and spam signatures.
FortiGuard distribution network The result of the previous scheduled update (TCP 443) connection attempt to the FortiGuard Distribution Network (FDN) or, if enabled and configured, the override server.

•      Available: Indicates that the FortiMail unit successfully connected to the FDN.

•      Unavailable: Indicates that the FortiMail unit could not connect to the FDN. For more information, see “Verifying connectivity with FortiGuard services” on page 237.

•      Unknown: Indicates that the FortiMail unit has not yet attempted to connect to the FDN.

To test the connection, click Refresh.

Push update The result of the previous push update (UDP 9443) connection attempt from the FDN.

•      Available: Indicates that the FDN successfully connected to the FortiMail unit to send push updates. For more information, see “Configuring push updates” on page 241.

•      Unavailable: Indicates that the FDN could not connect to the FortiMail unit. For more information, see “Troubleshoot FortiGuard connection issues” on page 707.

•      Unknown: Indicates that the FortiMail unit has not yet attempted to connect to the FDN.

To test the connection, click Refresh.

GUI item Description
Refresh

(button)

Click to test the scheduled (TCP 443) and push (UDP 9443) update connection of the FortiMail unit to the FDN or, if enabled, the IP address configured in Use override server address.

When the test completes, the tab refreshes and results beside FortiGuard distribution network. Time required varies by the speed of the FortiMail unit’s network connection, and the number of timeouts that occur before the connection attempt is successful or the FortiMail unit determines that it cannot connect.

Note: This does not test the connection for FortiGuard Antispam rating queries, which occurs over a different connection and must be tested separately. For details, see “Configuring FortiGuard updates and antispam queries” on page 233.

Use override server address Enable to override the default FortiGuard Distribution Server (FDS) to which the FortiMail unit connects for updates, then enter the IP address of the override public or private FDS.

For more information, see “Verifying connectivity with FortiGuard services” on page 237.

Allow push update Enable to allow the FortiMail unit to accept push notifications (UDP 9443). If the FortiMail unit is behind a NAT device, you may also need to enable and configure Use override push IP. For details, see “Configuring push updates” on page 241.

Push notifications only notify the FortiMail unit that an update is available. They do not transmit the update itself. After receiving a push notification, the FortiMail unit then initiates a separate TCP 443 connection, similar to scheduled updates, in order to the FDN to download the update.

Use override push Enable to override the IP address and default port number to which

IP                           the FDN sends push notifications.

  • When enabled, the FortiMail unit notifies the FDN to send push updates to the IP address and port number that you enter (for example, a virtual IP/port forward on a NAT device that will forward push notifications to the FortiMail unit).
  • When disabled, the FortiMail unit notifies the FDN to send push updates to the FortiMail unit’s IP address, using the default port number (UDP 9443). This is useful only if the FortiMail unit has a public network IP address.

For more information, see “Configuring push updates” on page 241.

This option is available only if Allow push update is enabled.

GUI item Description
Scheduled update Enable to perform updates according to a schedule, then select one of the following as the frequency of update requests. When the FortiMail unit requests an update at the scheduled time, results appear in Last Update Status.

•      Every: Select to request to update once every 1 to 23 hours, then select the number of hours between each update request.

•      Daily: Select to request to update once a day, then select the hour of the day to check for updates.

•      Weekly: Select to request to update once a week, then select the day of the week, the hour, and the minute of the day to check for updates.

If you select 00 minutes, the update request occurs at a randomly determined time within the selected hour.

Apply

(button)

Click to save configuration changes on this tab and, if you have enabled Allow push update, notify the FDN of the destination IP address and port number for push notifications to this FortiMail unit.
Update Now

(button)

Click to manually initiate a FortiGuard Antivirus and FortiGuard Antispam engine and definition update request. Results will appear in Last Update Status. Time required varies by the availability of updates, size of the updates, and speed of the FortiMail unit’s network connection.
This entry was posted in Administration Guides, FortiMail and tagged , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.