Configuring FortiGuard Updates and AntiSPAM Queries

Leave a reply

Verifying connectivity with FortiGuard services

If you subscribe to FortiGuard Antivirus and/or FortiGuard Antispam services, your FortiMail unit needs to connect to the FortiGuard Distribution Network (FDN) in order to verify its license and use the services.

Your FortiMail unit may be able to connect using the default settings; however, you should confirm this by verifying connectivity.

You must first register the FortiMail unit with the Fortinet Technical Support web site, https://support.fortinet.com/, to receive service from the FDN. The FortiMail unit must also have a valid Fortinet Technical Support contract which includes service subscriptions, and be able to connect to the FDN or the FDS that you will configure to override the default FDS addresses. For port numbers required for license validation and update connections, see the appendix in the FortiMail Administration Guide.

Before performing the following procedure, if your FortiMail unit connects to the Internet using a proxy, use the CLI command config system fortiguard antivirus to enable the FortiMail unit to connect to the FDN through the proxy. For more information, see the FortiMail CLI Reference.

If the FortiMail unit connects to the Internet/FDN servers through a proxy, FortiMail can only get updates for the antivirus engine, antivirus signatures, and heuristic antispam rules from the FDN server. FortiMail cannot connect to the FDN server to perform realtime FortiGuard antispam queries through the proxy. In this case, you can only use a FortiManager unit locally as the override server.

To verify scheduled update connectivity

  1. Go to Maintenance > FortiGuard > Update.
  2. If you want your FortiMail unit to connect to a specific FDS other than the default for its time zone, enable Use override server address, enter the fully qualified domain name (FQDN) or IP address of the FDS.
  3. Click Apply.
  4. Click Refresh.

A dialog appears, notifying you that the process could take a few minutes.

  1. Click OK.

The FortiMail unit tests the connection to the FDN and, if any, the override server. Time required varies by the speed of the FortiMail unit’s network connection, and the number of timeouts that occur before the connection attempt is successful or the FortiMail unit determines that it cannot connect. When the connection test completes, the page refreshes. Test results next to FortiGuard distribution network.

  • Available: The FortiMail unit successfully connected to the FDN or override server.
  • Unavailable: The FortiMail unit could not connect to the FDN or override server, and cannot download updates from it. For CLI commands that may assist you in troubleshooting, see “To verify antispam rating query connectivity” on page 238.
  1. When successful connectivity has been verified, continue by configuring the FortiMail unit to receive engine and definition updates from the FDN or override server using one or more of the following methods:
    • scheduled updates (see “Configuring scheduled updates” on page 240)
    • push updates (see “Configuring push updates” on page 241)
    • manually initiated updates (see “Manually requesting updates” on page 243)

To verify antispam rating query connectivity

  1. Go to Maintenance > FortiGuard > AntiSpam.

Figure 96: Verifying the FortiGuard Antispam license and rating query connectivity

  1. Verify that the Enable service check box is marked. If it is not, select it, then click
  2. If you want to use an override server, such as a local FortiManager unit, instead of the default FDN server, specify it by enabling the option and entering the server address.
  3. For Query type under FortiGuard Query, select one of:
    • IP and enter a valid IP
    • URI and enter a valid URI
    • Hash and use the hash value of a spam email that you can find in the log messages
  4. Click Query.

If the query is successful, the Query result field will display if the IP/URI is spam or unknown (not spam).

If the query is unsuccessful, the Query result field will display No response. In this case, you can use the following tips to troubleshoot the issue.

If the FortiMail unit can reach the DNS server, but cannot successfully resolve the domain name of the FDS, a message appears notifying you that a DNS error occurred.

Figure 97: DNS error when resolving the FortiGuard Antispam domain name

  1. Verify that the DNS servers contain A records to resolve fortiguard.net and other FDN servers. To try to obtain additional insight into the cause of the query failure, manually perform a DNS query from the FortiMail unit using the following CLI command:

execute nslookup name service.fortiguard.net

If the FortiMail unit cannot successfully connect, or if your FortiGuard Antispam license does not exist or has expired, a message appears notifying you that a connection error occurred. Figure 98: Connection error when verifying FortiGuard Antispam connectivity

  1. Verify that:
    • this is no proxy in between FortiMail and the FDN server.
    • your FortiGuard Antispam license is valid and currently active
    • the default route (located in System > Network > Routing) is correctly configured
    • the FortiMail unit can connect to the DNS servers (located in System > Network > DNS) and to the FDN servers
    • firewalls between the FortiMail unit and the Internet or override server allow FortiGuard Antispam rating query traffic.

The default port number for FortiGuard antispam query is UDP port 53 in v4.0. Prior to v4.0, the port number was 8889.

  1. To try to obtain additional insight into the point of the connection failure, trace the connection using the following CLI command: execute traceroute <address_ipv4> where <address_ipv4> is the IP address of the DNS server or FDN server.

When query connectivity is successful, antispam profiles can use the FortiGuard option.

You can use the antispam log to monitor for subsequent query connectivity interruptions.

When sending email through the FortiMail unit that matches a policy and profile where the FortiGuard option is enabled, if the FortiMail cannot connect to the FDN and/or its license is not valid, and if Information-level logging is enabled, the FortiMail unit records a log message in the antispam log (located in Monitor > Log > AntiSpam) whose Log Id field is 0300023472 and whose Message field is:

FortiGuard-Antispam: No Answer from server.

Figure 99: Antispam log when FortiGuard Antispam query fails

  1. Verify that the FortiGuard Antispam license is still valid, and that network connectivity has not been disrupted for UDP port 53 traffic from the FortiMail unit to the Internet.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Pages: 1 2 3 4
This entry was posted in Administration Guides, FortiMail and tagged , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.