FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home > Online Help

> Chapter 10 - Fortinet Communication Ports and Protocols > FortiGuard

FortiGuard

FortiGuard services can be purchased and registered to your FortiGate unit. The FortiGate must be connected to the Internet in order to automatically connect to the FortiGuard Distribution Network (FDN) to validate the license and download FDN updates.

The FortiGuard subscription update services include:

  • AntiVirus (AV)
  • Intrusion Protection Service (IPS)
  • Application Control
  • Anti-Spam
  • Web Filtering
  • Web Application Firewall (WAF)

The FDN sends notice that a FortiGuard AntiVirus and IPS update is available on UDP/9443.

Enabling FDN updates and FortiGuard Services

In order to receive FortiGuard subscription updates, the unit needs to have access to the Internet and be able to connect to a DNS server in order to resolve the following URLs:

  • update.fortiguard.net: For AV and IPS updates
  • service.fortiguard.net: For web filtering and anti-spam updates
  1. Go to System > FortiGuard. Under AntiVirus & IPS Updates, enable Scheduled Updates, and configure an update schedule.
  2. You can force the unit to connect to the AV/IPS server by selecting Update AV & IPS Definitions.
  3. You can view your subscription details above in the License Information table.
  4. Once the schedule has been enabled, select Apply.

To see if the service is viable, open the CLI console and enter the following commands below.

For Web Filtering:

diagnose debug rating

For Anti-Spam:

diag spamfilter fortishield servers

If only one or two IPs are displayed in the command outputs, it could be one of the following issues:

  • No response from the DNS server: Either the DNS server is unreachable or there is a problem with the routing. Make sure that contact to the DNS server is available by resolving some URLs from the CLI, for example:

exec ping http://www.google.com

exec ping service.fortiguard.net

 

You can also

  • Review update errors: Review update information from the last update, enable debug outputs and force the update:

diag test update info

diag debug enable

diag debug application update 255

exec update-ase

exec update-av

exec update-ips

 

After troubleshooting, it is highly recommended to turn off debug mode:

diag debug disable

diag debug application update 0

 

  • FortiGuard Web filtering: Port blocking or packet inspection is occurring downstream. The default port used by the FortiGuard for the FortiGuard services is 53. The traffic will fail any DNS packet inspection that could be happening.

You can either change the port to 8888 from the GUI, or change the source port for management traffic with the following CLI command:

config system global

set ip-src-port-range 1035-25000

end

diag test application urlfilter 99

diag test application smtp 99

Submission of Malware statistics to FortiGuard

The FortiGate periodically sends encrypted Malware statistics that the FortiGate comes across to FortiGuard. This can range from the IP address and serial number of the FortiGate, the country in which the FortiGate is located, to malware statistics such as the protocol in which the malware was detected. Once the statistics are consolidated, and the IP address and serial number are discarded, the data is used to generate the FortiGuard Threat Map.

Statistics are also sent for AntiVirus (AV), IPS and Application Control events, and are used to improve future performance of scanning on the FortiGate.

An example of this is the increasing number of new AV Signatures can be detrimental to the throughput of the FortiGate while AV scanning is enabled. AV Statistics provide information regarding which signatures are more active in protecting customer environments. These signatures are then kept in an "Active AV Signature Database" that is used by all Fortinet products. The inactive signatures are moved to an "Extended/Extreme AV Signature Database", used by medium/high-end models which have more processing power to scan with inactive signatures. If the inactive signatures ever trigger again on a medium/high-end model, these signatures can be moved back to the "Active AV Signature Database", protecting all models from the old malware which has become active again.

SSL/TLS 1.2 over port 443 is used to encrypt this communication between the FortiGate and FortiGuard. The certificates used in this process must be trusted by each other and signed by the Fortinet CA server. Statistics are accumulated and sent periodically (by default every 60 minutes).

note icon

Please note that the submission of such information is in accordance with the “Automatically-Collected Information” detailed in the Fortinet Privacy Policy, and the purpose of such collection is outlined in the “Use of your Information” section of the aforementioned privacy policy.

There is no sensitive or personal information included in these submissions. Only malware statistics are sent.

All statistics collected from the FortiGate in this manner are handled properly and only used to improve the performance of the FortiGate services. The information is not used for any other purpose, used outside of Fortinet, or shared or made available with any third-parties.

To enable, disable, and/or customize how often statistics are sent to FortiGuard, use the following command:

CLI syntax

config system global

set fds-statistics {enable | disable}

set fds-statistics-period <minutes>

end

 

In addition to secure submission of statistics to FortiGuard, there are other mechanisms in place to prevent unauthorized FortiGuard updates from clients:

  • The server certificate has to be authenticated by FortiGates, and it only trusts Fortinet's root certificate.
  • Proprietary encryption (including FCP, an application-level proprietary protocol) that only Fortinet's own servers/devices can prepare.

FortiGates can only accept data from Fortinet's own list of servers, although the list can be updated through previously connected servers. DNS is used on the initial server, but all other servers are provided by a list that is updated through SSL, meaning that only FortiGates accept data from those servers.

CLI Syntax

The following section contains commands to control FortiGuard.

system.autoupdate/push-update

The following command will set the FDN push update port.

config system.autoupdate push-update

edit <name_str>

set port <integer>

end

system.autoupdate/tunneling

The following command will set the proxy server port that the FortiGate will use to connect to the FortiGuard Distribution Network (FDN).

config system.autoupdate tunneling

edit <name_str>

set port <integer>

end

system/fortiguard

The following command will set the port by which scheduled FortiGuard service updates will be received.

config system fortiguard

edit <name_str>

set port [53 | 8888 | 80]

end

webfilter/fortiguard

The following command will close ports used for HTTPS/HTTP override authentication and disable user overrides:

config webfilter fortiguard

edit <name>

set close-ports [enable | disable]

end