FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home > Online Help

> Chapter 2 - Getting Started > Basic Administration > FortiGuard

FortiGuard

The FortiGuard Distribution Network (FDN) of servers provides updates to antivirus, antispam and IPS definitions to your FortiGate. Worldwide coverage of FortiGuard services is provided by FortiGuard service points. FortiGuard Subscription Services provide comprehensive Unified Threat Management (UTM) security solutions to enable protection against content and network level threats.

The FortiGuard team can be found around the globe, monitoring virus, spyware and vulnerability activities. As vulnerabilities are found, signatures are created and pushed to the subscribed FortiGates. The Global Threat Research Team enables Fortinet to deliver a combination of multi-layered security intelligence and provide true zero-day protection from new and emerging threats.The FortiGuard Network has data centers around the world located in secure, high availability locations that automatically deliver updates to the Fortinet security platforms to and protect the network with the most up-to-date information.

The FortiGuard services provide a number of services to monitor world-wide activity and provide the best possible security:

  • Intrusion Prevention System (IPS) - The FortiGuard Intrusion Prevention System (IPS) uses a customizable database of more than 4000 known threats to stop attacks that evade conventional firewall defenses. It also provides behavior-based heuristics, enabling the system to recognize threats when no signature has yet been developed. It also provides more than 1000 application identity signatures for complete application control.
  • Application Control - Application Control allows you to identify and control applications on networks and endpoints regardless of port, protocol, and IP address used. It gives you unmatched visibility and control over application traffic, even traffic from unknown applications and sources.
  • AntiVirus -The FortiGuard AntiVirus Service provides fully automated updates to ensure protection against the latest content level threats. It employs advanced virus, spyware, and heuristic detection engines to prevent both new and evolving threats from gaining access to your network and protects against vulnerabilities.
  • Web Filtering - Web Filtering provides Web URL filtering to block access to harmful, inappropriate, and dangerous web sites that may contain phishing/pharming attacks, malware such as spyware, or objectionable content that can expose your organization to legal liability. Based on automatic research tools and targeted research analysis, real-time updates enable you to apply highly-granular policies that filter web access based on 78 web content categories, over 45 million rated web sites, and more than two billion web pages - all continuously updated.
  • Vulnerability Scanning - FortiGuard Services provide comprehensive and continuous updates for vulnerabilities, remediation, patch scan, and configuration benchmarks.
  • Email Filtering - The FortiGuard Antispam Service uses both a sender IP reputation database and a spam signature database, along with sophisticated spam filtering tools on Fortinet appliances and agents, to detect and block a wide range of spam messages. Updates to the IP reputation and spam signature databases are provided continuously via the FDN.
  • Messaging Services - Messaging Services allow a secure email server to be automatically enabled on your FortiGate to send alert email or send email authentication tokens. With the SMS gateway, you can enter phone numbers where the FortiGate will send the SMS messages. Note that depending on your carrier, there may be a slight time delay on receiving messages.
  • DNS and DDNS - The FortiGuard DNS and DDNS services provide an efficient method of DNS lookups once subscribed to the FortiGuard network. This is the default option. The FortiGate connects automatically to the FortiGuard DNS server. If you do not register, you need to configure an alternate DNS server.

    Configure the DDNS server settings using the CLI commands:

config system fortiguard

set ddns-server-ip

set ddns-server-port

end

 

Support Contract and FortiGuard Subscription Services

The Support Contract and FortiGuard Subscription Services sections are displayed in abbreviated form within the License Information widget. A detailed version is available by going to System > FortiGuard.

The Support Contract area displays the availability or status of your FortiGate’s support contract. The status displays can be either Unreachable, Not Registered, or Valid Contract.

The FortiGuard Subscription Services area displays detailed information about your FortiGate’s support contract and FortiGuard subscription services. On this page, you can also manually update the antivirus and IPS engines.

The status icons for each section Indicates the state of the subscription service. The icon corresponds to the availability description.

  • Gray (Unreachable) – the FortiGate is not able to connect to service.
  • Orange (Not Registered) – the FortiGate can connect, but not subscribed.
  • Yellow (Expired) – the FortiGate had a valid license that has expired.
  • Green (Valid license) – the FortiGate can connect to FDN and has a registered support contract. If the Status icon is green, the expiry date also appears.

Verifying your Connection to FortiGuard

If you are not getting FortiGuard web filtering or antispam services, there are a few things to verify communication to the FortiGuard Distribution Network (FDN) is working. Before any troubleshooting, ensure that the FortiGate has been registered and you or your company, has subscribed to the FortiGuard services.

Verification - GUI

The simplest method to check that the FortiGate is communicating with the FDN, is to check the License Information dashboard widget. Any subscribed services should have a green check mark beside them indicating that connections are successful. Any other icon indicates a problem with the connection, or you are not subscribed to the FortiGuard services.

You can also view the FortiGuard connection status by going to System > FortiGuard.

Verification - CLI

You can also use the CLI to see what FortiGuard servers are available to your FortiGate. Use the following CLI command to ping the FDN for a connection:

ping guard.fortinet.net

 

You can also use diagnose command to find out what FortiGuard servers are available:

diagnose debug rating

 

From this command, you will see output similar to the following:

Locale : english

License : Contract

Expiration : Sun Jul 24 20:00:00 2011

Hostname : service.fortiguard.net

-=- Server List (Tue Nov 2 11:12:28 2010) -=-

 

IP Weight       RTT Flags   TZ      Packets    Curr Lost   Total Lost

69.20.236.180  0    10          -5     77200                  0                      42

69.20.236.179  0   12              -5   52514     0            34

66.117.56.42   0        32      -5     34390      0                               62

80.85.69.38    50  164        0   34430      0            11763

208.91.112.194 81  223 D   -8   42530               0           8129

216.156.209.26 286 241 DI -8   55602               0                               21555

 

An extensive list of servers are available. Should you see a list of three to five available servers, the FortiGuard servers are responding to DNS replies to service.FortiGuard.net, but the INIT requests are not reaching FDS services on the servers.

The rating flags indicate the server status:

D Indicates the server was found via the DNS lookup of the hostname. If the hostname returns more than one IP address, all of them will be flagged with 'D' and will be used first for INIT requests before falling back to the other servers.
I Indicates the server to which the last INIT request was sent
F The server has not responded to requests and is considered to have failed.
T The server is currently being timed.

The server list is sorted first by weight and then the server with the smallest RTT is put at the top of the list, regardless of weight. When a packet is lost, it will be resent to the next server in the list.

The weight for each server increases with failed packets and decreases with successful packets. To lower the possibility of using a faraway server, the weight is not allowed to dip below a base weight, which is calculated as the difference in hours between the FortiGate and the server multiplied by 10. The further away the server is, the higher its base weight and the lower in the list it will appear.

Port assignment

FortiGates contact the FortiGuard Distribution Network (FDN) for the latest list of FDN servers by sending UDP packets with typical source ports of 1027 or 1031, and destination ports of 53 or 8888. The FDN reply packets have a destination port of 1027 or 1031.

If your ISP blocks UDP packets in this port range, the FortiGate cannot receive the FDN reply packets. As a result, the FortiGate will not receive the complete FDN server list.

If your ISP blocks the lower range of UDP ports (around 1024), you can configure your FortiGate to use higher-numbered ports, using the CLI command…

config system global

set ip-src-port-range <start port>-<end port>

end

 

…where the <start port> and <end port> are numbers ranging of 1024 to 25000.

For example, you could configure the FortiGate to not use ports lower than 2048 or ports higher than the following range:

config system global

set ip-src-port-range 2048-20000

end

 

Trial and error may be required to select the best source port range. You can also contact your ISP to determine the best range to use. Push updates might be unavailable if:

  • there is a NAT device installed between the unit and the FDN
  • your unit connects to the Internet using a proxy server.

FortiCloud is a hosted security management and log retention service for FortiGate products. It gives you a centralized reporting, traffic analysis, configuration and log retention without the need for additional hardware and software.

Configuring Antivirus and IPS Options

Go to System > FortiGuard, and expand the AV and IPS Options section to configure the antivirus and IPS options for connecting and downloading definition files.

Use override server address Select to configure an override server if you cannot connect to the FDN or if your organization provides updates using their own FortiGuard server.
Allow Push Update Select to allow updates sent automatically to your FortiGate when they are available
Allow Push Update status icon The status of the FortiGate for receiving push updates:

•  Gray (Unreachable) - the FortiGate is not able to connect to push update service

•  Yellow (Not Available) - the push update service is not available with your current support license

•  Green (Available) - the push update service is allowed.
Use override push IP and Port Available only if both Use override server address and Allow Push Update are enabled.

Enter the IP address and port of the NAT device in front of your FortiGate. FDS will connect to this device when attempting to reach the FortiGate.

The NAT device must be configured to forward the FDS traffic to the FortiGate on UDP port 9443.
Schedule Updates Select this check box to enable updates to be sent to your FortiGate at a specific time. For example, to minimize traffic lag times, you can schedule the update to occur on weekends or after work hours.

Note that a schedule of once a week means any urgent updates will not be pushed until the scheduled time. However, if there is an urgent update required, select the Update Now button.
Update Now Select to manually initiate an FDN update.
Submit attack
characteristics…
(recommended)
Select to help Fortinet maintain and improve IPS signatures. The information sent to the FortiGuard servers when an attack occurs and can be used to keep the database current as variants of attacks evolve.

Manual updates

To manually update the signature definitions file, you need to first go to the Support web site at https://support.fortinet.com. Once logged in, select FortiGuard Service Updates from the Download area of the web page. The browser will present you the most current antivirus and IPS signature definitions which you can download.

Once downloaded to your computer, log into the FortiGate to load the definition file.

To load the definition file onto the FortiGate
  1. Go to System > FortiGuard.
  2. Select the Update link for either AV Definitions or IPS Definitions.
  3. Locate the downloaded file and select OK.

The upload may take a few minutes to complete.

Automatic updates

The FortiGate can be configured to request updates from the FortiGuard Distribution Network. You can configure this to be on a scheduled basis, or with push notifications.

Scheduling updates

Scheduling updates ensures that the virus and IPS definitions are downloaded to your FortiGate on a regular basis, ensuring that you do not forget to check for the definition files yourself. Note that updating definitions can cause a very short disruption in traffic currently being scanned while the FortiGate unit applies the new signature database. Schedule updates during off-peak hours, such as evenings or weekends, when network usage is minimal, ensures that the network activity will not suffer from the added traffic of downloading the definition files.

To enable scheduled updates - GUI
  1. Go to System > FortiGuard.
  2. Click the Expand Arrow for AV and IPS Options.
  3. Select the Scheduled Update check box.
  4. Select the frequency of the updates and when within that frequency.
  5. Select Apply.
To enable scheduled updates - CLI

config system autoupdate schedule

set status enable

set frequency {every | daily | weekly}

set time <hh:mm>

set day <day_of_week>

end

Push updates

Push updates enable you to get immediate updates when new virus or intrusions have been discovered and new signatures are created. This ensures that when the latest signature is available it will be sent to the FortiGate.

When a push notification occurs, the FortiGuard server sends a notice to the FortiGate that there is a new signature definition file available. The FortiGate then initiates a download of the definition file, similar to the scheduled update.

To ensure maximum security for your network, you should have a scheduled update as well as enable the push update, in case an urgent signature is created, and your cycle of the updates only occurs weekly.

To enable push updates - GUI
  1. Go to System > FortiGuard.
  2. Click the Expand Arrow for AV and IPS Options.
  3. Select Allow Push Update.
  4. Select Apply.
To enable push updates - CLI

config system autoupdate push-update

set status enable

end

Push IP override

If the FortiGate is behind another NAT device (or another FortiGate), to ensure it receives the push update notifications, you need to use an override IP address for the notifications. To do this, you create a virtual IP to map to the external port of the NAT device.

Generally speaking, if there are two FortiGate devices as in the diagram below, the following steps need to be completed on the FortiGate NAT device to ensure the FortiGate on the internal network receives the updates:

  • Add a port forwarding virtual IP to the FortiGate NAT device that connects to the Internet by going to Firewall Objects > Virtual IP.
  • Add a security policy to the FortiGate NAT device that connects to the Internet that includes the port forwarding virtual IP.
  • Configure the FortiGate on the internal network with an override push IP and port.

On the FortiGate internal device, the virtual IP is entered as the Use push override IP address.

To enable push update override- GUI
  1. Go to System > FortiGuard.
  2. Under AntiVirus & IPS Updates, enable Accept Push Updates.
  3. Enable Use override push.
  4. Enter the virtual IP address configured on the NAT device.
  5. Select Apply.
To enable push updates - CLI

config system autoupdate push-update

set status enable

set override enable

set address <vip_address>

end

Configuring Web Filtering and Email Filtering Options

Go to System > FortiGuard, and expand arrow to view Web Filtering and Email Filtering Options for setting the size of the caches and ports used.

Web Filter cache TTL Set the Time To Live value. This is the number of seconds the FortiGate will store a blocked IP or URL locally, saving time and network access traffic, checking the FortiGuard server. Once the TTL has expired, the FortiGate will contact an FDN server to verify a web address. The TTL must be between 300 and 86400 seconds.
Antispam cache TTL Set the Time To Live value. This is the number of seconds the FortiGate will store a blocked IP or URL locally, saving time and network access traffic, checking the FortiGuard server. Once the TTL has expired, the FortiGate will contact an FDN server to verify a web address. The TTL must be between 300 and 86400 seconds.
Port Section Select the port assignments for contacting the FortiGuard servers. Select the Test Availability button to verify the connection using the selected port.
To have a URL's category rating re-evaluated, please click here Select to re-evaluate a URL’s category rating on the FortiGuard Web Filter service.

Email filtering

The FortiGuard data centers monitor and update email databases of known spam sources. With FortiGuard Anti-Spam filtering enabled, the FortiGate verifies incoming email sender address and IPs against the database, and take the necessary action as defined within the antivirus profiles.

Spam source IP addresses can also be cached locally on the FortiGate, providing a quicker response time, while easing load on the FortiGuard servers, aiding in a quicker response time for less common email address requests.

By default, the antispam cache is enabled. The cache includes a time-to-live (TTL) value, which is the amount of time an email address will stay in the cache before expiring. You can change this value to shorten or extend the time between 5 and 1,440 minutes.

To modify the antispam cache TTL - GUI
  1. Go to System > FortiGuard.
  2. Under Filtering, enable Anti-Spam Cache.
  3. Enter the TTL value in minutes.
  4. Select Apply.
To modify the Anti-Spam filter TTL - CLI

config system fortiguard

set antispam-cache-ttl <integer>

end

 

Further antispam filtering options can be configured to block, allow or quarantine, specific email addresses. These configurations are available through the Security Profiles > Antispam menu. For more information, see the Security Profiles handbookchapter.

Online Security Tools

The FortiGuard online center provides a number of online security tools that enable you to verify or check ratings of web sites, email addresses as well as check file for viruses:

  • URL lookup - By entering a web site address, you can see if it has been rated and what category and classification it is filed as. If you find your web site or a site you commonly go to has been wrongly categorized, you can use this page to request that the site be re-evaluated.
    https://fortiguard.com/webfilter
  • IP and signature lookup - The IP and signature lookup enables you to check whether an IP address is blacklisted in the FortiGuard IP reputation database or whether a URL or email address is in the signature database.
    https://fortiguard.com/webfilter
  • Online virus scanner - If you discover a suspicious file on your machine, or suspect that a program you downloaded from the Internet might be malicious you can scan it using the FortiGuard online scanner. The questionable file can be uploaded from your computer to a dedicated server where it will be scanned using FortiClient Antivirus. Only one file of up to 1 MB can be checked at any one time. All files will be forwarded to our research labs for analysis.
    https://fortiguard.com/virusscanner
  • Malware removal tools - FortiGuard Labs developed and maintains tools to disable and remove the specific malware and related variants. Some tools have been developed to remove specific malware, often tough to remove. A universal cleaning tool, FortiCleanup, is also available for download.
    The FortiCleanup is a tool developed to identify and cleanse systems of malicious rootkit files and their associated malware. Rootkits consist of code installed on a system with kernel level privileges, often used to hide malicious files, keylog and thwart detection / security techniques. The aim of this tool is to reduce the effectiveness of such malware by finding and eliminating rootkits. The tool offers a quick memory scan as well as a full system scan. FortiCleanup will not only remove malicious files, but also can cleanse registry entries, kernel module patches, and other tricks commonly used by rootkits - such as SSDT hooks and process enumeration hiding.
    A license to use these applications is provided free of charge, courtesy of Fortinet.
    https://fortiguard.com/malwareremoval