Category Archives: FortiGuard

FortiGuard

FortiGuard

FortiGuard services can be purchased and registered to your FortiGate unit. The FortiGate must be connected to the Internet in order to automatically connect to the FortiGuard Distribution Network (FDN) to validate the license and download FDN updates.

The FortiGuard subscription update services include:

  • AntiVirus (AV) l Intrusion Protection Service (IPS) l Application Control l Anti-Spam l Web Filtering
  • Web Application Firewall (WAF)

The FDN sends notice that a FortiGuard AntiVirus and IPS update is available on UDP/9443.

Enabling FDN updates and FortiGuard Services

In order to receive FortiGuard subscription updates, the unit needs to have access to the Internet and be able to connect to a DNS server in order to resolve the following URLs:

l update.fortiguard.net: For AV and IPS updates l service.fortiguard.net: For web filtering and anti-spam updates

  1. Go to System > FortiGuard. Under AntiVirus & IPS Updates, enable Scheduled Updates, and configure an update schedule.
  2. You can force the unit to connect to the AV/IPS server by selecting Update AV & IPS Definitions.
  3. You can view your subscription details above in the License Information
  4. Once the schedule has been enabled, select Apply.

To see if the service is viable, open the CLI console and enter the following commands below.

For Web Filtering:

diagnose debug rating

For Anti-Spam:

diag spamfilter fortishield servers

If only one or two IPs are displayed in the command outputs, it could be one of the following issues:

l No response from the DNS server: Either the DNS server is unreachable or there is a problem with the routing. Make sure that contact to the DNS server is available by resolving some URLs from the CLI, for example:

exec ping http://www.google.com exec ping service.fortiguard.net

You can also l Review update errors: Review update information from the last update, enable debug outputs and force the update:

diag test update info

FortiGuard

diag debug enable

diag debug application update 255 exec update-ase exec update-av exec update-ips

After troubleshooting, it is highly recommended to turn off debug mode:

diag debug disable diag debug application update 0

l FortiGuard Web filtering: Port blocking or packet inspection is occurring downstream. The default port used by the FortiGuard for the FortiGuard services is 53. The traffic will fail any DNS packet inspection that could be happening.

You can either change the port to 8888 from the GUI, or change the source port for management traffic with the following CLI command:

config system global set ip-src-port-range 1035-25000

end diag test application urlfilter 99 diag test application smtp 99

CLI Syntax

The following section contains commands to control FortiGuard.

system.autoupdate/push-update

The following command will set the FDN push update port.

config system.autoupdate push-update edit <name_str> set port <integer>

end

system.autoupdate/tunneling

The following command will set the proxy server port that the FortiGate will use to connect to the FortiGuard Distribution Network (FDN).

config system.autoupdate tunneling edit <name_str> set port <integer>

end

system/fortiguard

The following command will set the port by which scheduled FortiGuard service updates will be received.

config system fortiguard edit <name_str> set port [53 | 8888 | 80]

end

FortiGuard

webfilter/fortiguard

The following command will close ports used for HTTPS/HTTP override authentication and disable user overrides:

config webfilter fortiguard edit <name> set close-ports [enable | disable] end

FortiGuard Open Ports

FortiGuard Open Ports

FortiGuard Open Ports

Incoming Ports

Purpose

Protocol/Port
FortiAuthenticator AV/IPS Updates TCP/443
Virus Sample TCP/25
SMS, FTM, Licensing, Policy Override Authentication, URL/AS Updates TCP/443
Registration TCP/80
FortiClient AV Update & Registration TCP/80
URL/AS Rating, DNS, FDN, FortiGuard Queries UDP/53, UDP/8888
FortiCloud Registration TCP/443
FortiGate AV/IPS Update, Management, Firmware, SMS, FTM, Licensing, Policy Override TCP/443, TCP/8890
Cloud App DB TCP/9582 (flow.fortinet.net)
FortiGuard Queries, DNS UDP/53, UDP/8888
Registration TCP/80
Alert Emails, Virus Sample TCP/25
Central Management, Analysis TCP/541
FortiMail AS Rating UDP/53
AV/AS Update TCP/443
FortiManager AV/IPS Updates, URL/AS Update,

Firmware, SMS, FTM, Licensing, Policy

Override Authentication

TCP/443
Registration TCP/80
FortiSandbox

(FortiSandbox will use a random port

picked by the kernel)

FortiGuard Distribution Servers TCP/8890
FortiGuard Web Filtering Servers UDP/53, UDP/8888

FortiGuard Open Ports

Outgoing Ports

Purpose

Protocol/Port
FortiGate Management TCP/541
AV/IPS UDP/9443
FortiMail AV Push UDP/9443
FortiManager AV/IPS UDP/9443

 

 

Incoming Ports

Purpose

Protocol/Port
Admin by Console or PC TCP/443 or TCP/80 or TCP/22 or TCP/23

 

Outgoing Ports

Purpose

Protocol/Port
FortiGuard Registration TCP/443

Central Management FortiGuard

FortiGuard

FortiManager can also connect to the FortiGuard Distribution Network (FDN) to receive push updates for IPS signatures and antivirus definitions. These updates can then be used to update multiple FortiGate units throughout an organization. By using the FortiManager as the host for updates, bandwidth use is minimized as updates are downloaded to one source instead of many.

To receive IPS and antivirus updates from FortiManager, indicate an alternate IP address on the FortiGate unit.

 

To configure updates from FortiManager

1. Go to System > Config > FortiGuard.

2. Select AntiVirus and IPS Options to expand the options.

3. Enable both Allow Push Update and Use override push IP.

4. Enter the IP address of the FortiManager unit.

5. Select Apply.

Change of FortiGuard Filtering Port to mitigate Internet link flaps

I have a friend that has some FortiGates at his business. I have been helping him troubleshoot some random WAN1 port flapping issues. Well, after doing some research and looking through the documentation I found the below from Fortinet. Guess what internet provider he uses…..you’re right….COMCRAP….I mean, Comcast.

Some modems, ComCast for example, are known to drop the network connection or reboot if they receive non-DNS traffic on UDP port 53 which is well known DNS port, but which is also used to connect to the FortiGuard service.

An example of log messages that can be observed in logs on FortiGate is shown below:

date=2099-05-03 time=17:12:50 logid=0100020099 type=event subtype=system level=information vd=”root” logdesc=”Interface status changed” action=interface-stat-change status=UP msg=”Link monitor: Interface wan1 was turned up”
date=2099-05-03 time=17:12:47 logid=0100020099 type=event subtype=system level=information vd=”root” logdesc=”Interface status changed” action=interface-stat-change status=DOWN msg=”Link monitor: Interface wan1 was turned down”

Note that it is not necessary that the Link Monitor feature is configured, this log message will appear in logs each time the physical link is lost.

This cause can be confirmed by connecting a switch between the FortiGate and a modem.

If the switch has logging functionality then the interface facing the FortiGate will be stable while the interface connected to a modem will be flapping.

The workaround is to use port 8888 for FortiGuard.  This can be changed from GUI or CLI.

GUI

System > FortiGuard > Filtering

Select 8888 as “FortiGuard Filtering Port”

CLI

config system fortiguard
set port 8888
end