Who is Office of The CISO? - How to Get Into Cybersecurity - What is a Chief Information Security Officer?
What is a SOC Analyst?
Troubleshoot FortiGuard connection issues
The FortiMail unit cannot connect to the FDN servers to use FortiGuard Antivirus and/or FortiGuard Antispam services.
FortiGuard Antivirus and FortiGuard Antispam subscription services use multiple types of connections with the FortiGuard Distribution Network (FDN). For details on verifying FDN connection, see “Verifying connectivity with FortiGuard services” on page 237.
For all FortiGuard connection types, you must satisfy the following requirements:
- Register your FortiMail unit with the Fortinet Technical Support web site, https://support.fortinet.com/.
- Obtain a trial or purchased service contract for FortiGuard Antispam and/or FortiGuard Antivirus, and apply it to your FortiMail unit. If you have multiple FortiMail units, including those operating in high availability (HA), you must obtain separate contracts for each FortiMail unit. You can view service contracts applied to each of your registered FortiMail units by visiting the Fortinet Technical Support web site, https://support.fortinet.com/.
- Configure your FortiMail unit to connect with a DNS server that can resolve the domain names of FortiGuard servers. For more information, see “Configuring DNS” on page 259.
- Configure your FortiMail unit with at least one route so that the FortiMail unit can connect to the Internet. For more information, see “Configuring static routes” on page 258.
You can verify that you have satisfied DNS and routing requirements by using the following CLI commands.
To check DNS resolution of the FortiGuard antispam service, use:
execute nslookup name service.fortiguard.net
To check DNS resolution of the FortiGuard antivirus service, use:
execute nslookup name fds1.fortinet.com
To check network connectivity, use:
execute traceroute <address_ipv4> where <address_ipv4> is one of the FortiGuard servers.
If you have satisfied these requirements, verify that you have also satisfied the requirements specific to the type of connection that is failing, listed in Table 66.
Table 66:FortiGuard connectivity requirements
|Configure the system time of the FortiMail unit, including its time zone. For more information, see “Configuring the time and date” on page 265.
Intermediary firewall devices must allow the FortiMail unit to use HTTPS on TCP port 443 to connect to the FDN.
|•||If your FortiMail unit connects to the Internet through a proxy, use the CLI command set system autoupdate tunneling to enable the|
|•||You might need to override the FortiGuard server to which the FortiMail unit is connecting, and connect to one other than the default server for your time zone. For more information, see “Verifying connectivity with FortiGuard services” on page 237.|
|Satisfy all requirements for scheduled updates (above).
If there is a NAT device installed between the FortiMail unit and the FDN, you must configure it to forward push traffic (UDP port 9443) to the FortiMail unit. You must also configure “Use override push IP”. For more information, see “Configuring push updates” on page 241.
|•||Intermediary firewall devices must allow the FortiMail unit to use UDP port 53 to connect to the FDN.|
If you suspect that a device on your network is interfering with connectivity, you can analyze traffic and verify that the FortiMail unit is sending and receiving traffic on the required port numbers. Use the CLI command diagnose sniffer to perform packet capture. If traffic is being corrupted or interrupted, you may need to perform packet capture at additional points on your network to locate the source of the interruption.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos
Cybersecurity Videos and Training Available Via: Office of The CISO Security Training Videos